Data Protection: ECRE’s Privacy Policy and Guidance

The GDPR provides data subjects with a set of rights, notably the right of access. If you want to access the data that ECRE holds in relation to you please contact ECRE Communications team:  

European Council on Refugees and Exiles: Privacy Policy

ECRE has prepared its Privacy Policy to ensure compliance with the General Data Protection Regulation (GDPR) which came into effect on 25 May 2018. This Privacy Policy is available on request, it existence and availability are mentioned on the ECRE website and in relevant correspondence with those whose data ECRE processes. It is also an annex to the ECRE Staff Handbook and thus provided to all ECRE staff members.

1. Principles

The GDPR is an accountability-based regulation applicable to activities related to the processing of data. Inter alia, ECRE’s Privacy Policy applies the following principles set out in the GDPR.

Data minimisation:

ECRE’s processing of personal data is limited to the data that are relevant, adequate, and necessary for carrying out the purpose for which the data are collected. ECRE does not process or store “unnecessary” personal data, i.e. data that is not needed to fulfil the purpose for which it is collected.  

Lawfulness of processing:

ECRE only processes personal data under the legal grounds provided for in the GDPR. In practical terms, each processing activity is reviewed in light of its purpose to ensure that there is a ground for processing. ECRE follows the compliance requirements for each ground.

Currently, ECRE processes data under the following grounds (others may apply in the future; the Policy will be updated in that case):

  • The processing is necessary for the performance of a contract to which the individual is party (this also covers pre-contractual steps, such as a recruitment procedure).
  • The processing is necessary to comply with a legal obligation.
  • Legitimate interest to undertake the processing. When relying on this ground, ECRE takes extra responsibility for considering and protecting people’s rights and interests. The legitimate interest is identified and ECRE shows that the processing is necessary to achieve the interest. ECRE balances the interest in the processing against the individual’s interests, rights and freedoms.
  • The individual has given consent to the processing of his or her personal data. ECRE offers individuals a choice on whether their data is processed, with a positive opt-in system. The request for consent is for the specific use in question.

2. Vendor relations

Some of ECRE’s data processing activities involve regular data sharing with vendors, which is subject to principle and rules under the GDPR. This triggers different compliance requirements depending on the nature of the vendor (which may be a data controller or data processor). 

As the GDPR restricts transfers of personal data outside the EEA, ECRE does not transfer data outside the EEA. Where its vendors do so, the transfer is subject to appropriate safeguards to ensure that data subjects are protected.

As required by the GDPR, all ECRE’s dealings with processors are governed by a contract (or a legal act under applicable law) including data protection related clauses, i.e. a Data Processing Agreement (“DPA”).

For the negotiation of the terms of the DPA, vendors have different policies. ECRE’s vendors have the following policies where the vendors are processors and ECRE is controller for the purposes of the GDPR.

  • Mail Chimp has its own DPA. ECRE has entered into that agreement here.
  • Google Groups required ECRE to sign its own data processing agreement, which ECRE reviewed and accepted.
  • Microsoft 365 and Microsoft Azure (the latter of which is not currently in use) do not require ECRE to enter any document other than theirOnline Services Terms, containing GDPR terms that ECRE accepted when subscribing to these services.  
  • For Google Analytics, ECRE accepted its Google Ads Data Processing Termswhich include GDPR when subscribing to the service.
  • SD Worx has a DPA that is an integral part of its traditional service agreement (see 1.3 on this webpage) to which ECRE is a party.
  • Mensura has a Privacy policy that is considered an integral part of the traditional service agreement (available here) to which ECRE is a party.

For all of these vendors, ECRE has accepted and agrees with their terms.

In the following cases, the vendors are considered processors for the purposes of the GDPR but they follow a different approach.

  • Monizze’s general terms and conditionsstates that Monizze undertakes to process all personal data of beneficiaries received from one of their client in accordance with the latter’s instructions (assuming that the client is the controller of the processing). ECRE signed a DPA with Monizze in December 2018.
  • ECRE has entered into a DPA with ZonePage.

Finally, some of ECRE’s vendors consider themselves to be data controllers rather than data processors for the purposes of the GDPR. When dealing with controllers, different principles apply.

  • DKVand AXA, providers of insurance services to ECRE, consider themselves as data controllers for the purposes of the GDPR. When transferring personal data to them, you might have to comply with some GDPR provisions. Following a remediation process, ECRE’s insurance broker has informed ECRE that these insurance companies have an adjusted privacy clause in their contracts, with corresponding customer information in the insurance broker’s terms of operation. The companies’ privacy policies can be found on their respective websites. Therefore, no processing agreement has to be drawn up between ECRE and these companies.  
  • As DKV’s service to ECRE includes medical services, the processing of medical data is involved, which requires explicit permission from the persons involved. For this reason, DKV has requested and obtained explicit permission from ECRE staff members, the insured parties concerned. Without this permission, their policy prohibits them from handling the files of the persons concerned.

3. Data Protection Officer (DPO)

The GDPR introduces a duty to appoint a DPO for organisations carrying out certain types of processing activities, such as activities requiring large scale, regular and systematic monitoring of individuals, or large scale processing of special categories of data. ECRE’s data processing activities do not fit within the categories necessitating appointment of a DPO. It has thus not appointed a DPO but will periodically review this decision.

4. Training

ECRE has provided training to employees with respect to data protection, in order for them to understand their role in relation to GDPR requirements.

5. Register of processing activities

ECRE has created a register of its data processing activities. The register provides information on the legal grounds under which the processing activity takes place. The register is available on request.

6. Distribution

None of the data processed by ECRE is shared or distributed outside of the ECRE Secretariat, with the only the following limited exceptions:

  • Lists of contact details for ECRE members in a particular geographic region are provided to the ECRE Board member responsible for the region. The Board member uses the lists only for the purposes listed in the ECRE GDPR Personal Data Register and in using the data is acting as an agent of ECRE.
  • Lists of participants at ECRE events are shared with the donors that provide funding for the activities in question. Participants lists include only the name and organisation of the participant. At the top of the list of participants, there is an explanation of the purpose of the list (“As a contractual requirement of the funding of this event, ECRE has to collect the signatures of participants. The data is shared with the donor but not distributed further.”) Sharing lists of participants registered at an event is required by the contracts with the donor but the scope of information gathered is limited to the name and organisation.

7. Other

ECRE does not use cookies nor does it use PayPal.

Annex 1: Guidelines

In order to ensure compliance in the following areas the guidelines below are followed by all ECRE staff members. They have received training on the application of the guidelines.

Retention and Deletion of Personal Data

The GDPR requires you to demonstrate that you have procedures and processes in place to ensure that personal data should only be retained for the time necessary to fulfil the purpose of the processing. The Register of Personal Data processing activities shows the retention period for each data processing activity. At the end of the specified period, data should be deleted.

Data Breach: Policy and Procedures

In case of a breach of ECRE’s Privacy Policy concerning personal data, ECRE Secretary General should be informed. A data breach assessment will be carried out by the ECRE Secretary General and the Senior Communications Coordinator. The staff member responsible for the breach is obliged to provide all information on the cause of the breach in order that the assessment be carried out.

When warranted, ECRE Secretary General will notify the relevant authorities and communicate to the data subjects about the nature of the breach.

Remedial action will be taken to ensure no recurrence of the breach and, where necessary, to assess the risk of other breaches.

Subject Access Right Policy and Procedures

The GDPR provides data subjects with a set of rights, notably the right of access. In order to enable individuals to exercise their rights, including the right of access, ECRE will provide data subjects with information on the data that it holds in relation to them should they request it.

If a subject wants to access and then correct the data that ECRE holds in relation to them, they can contact the ECRE Communications Coordinator. Once the data has been provided, they can then request that it be corrected or removed. Information on these rights appears on the ECRE website, along with the email address of the Communications Coordinator.