PRIVACY AND PROTECTION NOTICE
REGARDING PERSONAL DATA
1. Who is accountable for your data? Where shall you address the exercise of your rights?
1.1. Controller of your Data is the Erasmus Student Network UK CIC (ESN UK) , including its nineteen (19) local sections, which is a Non-Profit Community Interest Company, seated in 68 Rhondda Street, Mount Pleasant, Swansea, United Kingdom, SA1 6ET as legally represented, with the e-mail address firstname.lastname@example.org.
1.2. ESN UK, along with its local sections, has a GDPR volunteer with contact e-mail email@example.com, where you can address all requests for exercising all of your below mentioned rights (under 3.1 -3.6).
2. General principles of ESN UK regarding the transparent information:
2.1. Any piece of information that is provided with the present and any other information that may be asked in the future, is provided free of charge, subject to the requirement not to be repeated, excessive or manifestly unjustified (see under 2.3).
2.2. For each of the below-mentioned rights that you exercise, ESN UK will reply within one (1) month from the receipt of the request or in the case of objective difficulties, complexity of the request or the number of requests, ESN UK shall respond, within a maximum period of three (3) months in total, either by accomplishing your request or by justifiably refusing to perform what you have requested for legitimate reasons expressly specified in General Data Protection Regulation 679/2016 (hereafter “GDPR”).
2.3. In the event that ESN UK considers that one of your below mentioned rights is being exercised manifestly unjustified or the request is excessive or (to a greater extent) has a repetitive character, it is entitled, on one hand, to charge you with a reasonable fee in order to provide further information (which in principle is free of charge) and, on the other hand, to refuse to respond to the request.
2.4. In case where ESN UK has reasonable doubts as for your identity when you submit a request for exercising one of your below rights, it may ask you to provide further information, necessary for confirming your identity, before the processing of your request.
2.5. In the event that ESN UK delays beyond the reasonable period of time to respond to your request, or in any other occasion where you consider that any of your rights is being violated, or in case ESN UK does not comply with its Obligations regarding the retention of your Data, you have the right to submit a complaint to the supervisory authority (Information Commissioner’s Office by following this link https://ico.org.uk/make-a-complaint/).
2.6. You reserve the right to withdraw your previously (possibly) given consent at any time by submitting a relevant written request to the e-mail address firstname.lastname@example.org (see 1.2.).
3. Which are your rights in relation to the Personal Data that you provided us with?
3.1. Right to be informed
You reserve the right to request information in relation to the personal data which we have received from you and we maintain for one or more purposes, as described below under clauses A to D. The present text constitutes in its entirety a manual of basic awareness and understanding of the philosophy of the regulatory framework that runs through the protection of your personal data. Update, further explanation, and clarifications as for this text can be provided to you, following your request for the exercise of your right to be informed (see how in 1.2.).
3.2. Right to access
You reserve the right to request from ESN UK access to your information that we maintain and confirmation as to whether they are being processed, and more specifically, information about the purposes of the processing, the categories of personal data, the recipients or the categories of recipients, the period for which the data will be stored and processed, the right to lodge a complaint with the Hellenic Data Protection Authority, any available information about the origin of the data, if the data have not been obtained from you, safeguards about the policy we follow when transfers to third countries are being carried out, and a copy of the personal data being kept and processed (see how in 1.2).
3.3. Right to rectification
You reserve the right to request from ESN UK rectification of your data, in case any of the data that we have the right to process has been altered or incorrectly submitted (see how in 1.2).
3.4. Right to erasure
You reserve the right to request from ESN UK the complete or partial erasure of your data that we are entitled to store and process, either because they are no longer necessary for the purposes for which they were collected, either because you withdraw your consent, or because your data were collected for a purpose that you consider illegal. ESN UK, within a reasonable period of time (no more than one month, and under circumstances, if there is difficulty, no more than three months in total) shall reply to you by confirming the complete or partial erasure of your data or the inability to erase some data, if any law or the performance of a task carried out in the public interest, or the right of freedom of expression and information, or the exercise or defence of any legal claim requires their maintenance. In such a case, on one hand, you have the right to lodge a complaint with the Information Commissioner’s Office (see how in 2.5.), and on the other hand, the right to an effective judicial remedy.
3.5. Right to restriction
You reserve the right to request from ESN UK the restriction of the processing of your data, in terms of quantity, time or in relation to the purpose of their processing, and more specifically (a) either because you contest the accuracy of your data and for as long as ESN UK needs in order to verify its accuracy, (b) either because you consider the processing to be illegal, and instead of the erasure of the data you opt for its restriction, (c) either because its use from ESN UK is no longer needed, however, you do not wish its erasure since their preservation shall serve for some juridical claim, (d) or, in case where you have objections to the processing of the data and until it is verified that your rights as a Data Subject are overriding the legitimate grounds of ESN UK for processing (see how in 1.2).
3.6. Right to portability
You reserve the right to receive the personal data you have provided us with, in a structured, commonly used and machine-readable format, as well as the right to transfer them further without objection, given that the processing is being carried out on the grounds of your consent.
The present right is exercised, subject to the conditions of erasure, as described above (under 3.4) and its exercise shall not adversely affect the rights and freedoms of other Data Subjects.
4. Is there any possibility that your Data are transferred somewhere else?
There is no provision that your Data shall be transferred to any organization outside ESN UK itself and its local sections, with the exception of (a) the service providers for the electronic systems and networks of ESN UK and its local sections, and for the sole purpose of the performance on their behalf of the contract to support ESN UK and its local sections, (b) the competent tax or other authorities within the framework of our mandatory compliance with the tax or other legislation and to the extent (and given) that it is necessary, and (c) partners of ESN UK in the context and under the terms of a binding contract (including data protection) between them and ESN UK, only for the (restricted) cases and given (and to the extent) that it is absolutely necessary for fulfilling our statutory goals & objectives, such as promoting mobility and British culture by organising respective activities/events (i.e. hotels, travel agencies etc.).
ESN UK does not process any personal data related to racial or ethnic or political opinions or religious or philosophical matters & beliefs, or data concerning health, unless it has the individual’s explicit consent to do so, and never for the purpose of uniquely identifying a natural person.
We assure you that ESN UK shall take any technical and organisational data protection means and shall make only the optimum, minimum and absolutely necessary use and processing of your Data, as defined by the law, and strictly and exclusively for the purpose for which you have provided them to us.
Specific provisions regarding the individual categories of Personal Data Subjects, that apply cumulatively with the above general provisions of the Policy.
(A) RECΙPIENTS OF COMMUNICATION
A.1. Purpose: The receipt, processing and preservation of your Data that were given exclusively in the framework of communication, is executed for the sole purpose of your briefing about the events & activities of ESN UK, as well as for providing you any help & information falling under our area of interests and expertise, as asked.
A.2. Legitimate Basis of the Processing: Your consent to the processing of your Data, in order to fulfil the above mentioned relevant purposes, constitutes the legitimate basis of this processing, in accordance with art. 6§1a GDPR.
A.3. Data Retention Period: In order to fulfil the above mentioned purpose of the processing, we consider it reasonable and necessary to store your relevant Data for a period of one (1) year. After one year from the time you provided your consent, the relevant Data shall be deleted, unless you provide us anew with your consent under the above conditions.
(B) INCOMING ERASMUS+ STUDENTS and INTERNATIONAL STUDENTS
B.1. Nature - Legitimate Basis
(a) The process of your personal Data (that is, indicative, your full name, e-mail address, telephone number, address, Facebook profile, country of origin/ sending HEI, field of studies, duration of your stay, information regarding your question/problem etc.), obtained via any means of communication (e.g. filling a contact form on our website, direct sending e-mail, direct sending a Facebook/Messenger message), generally takes place for the purpose of providing help and information on the events and activities of ESN UK and/or its local sections, upon your relative consent, which is the legitimate basis of process (art. 6§1a and 9§2a GDPR); this purpose identifies with our legitimate interest (art. 6§1f GDPR) to pursue our legal statutory goals & objectives, such as promoting mobility & Greek culture, in the context of cultivating multiculturalism.
(b) In case that any form of transaction with ESN UK and/or its local sections takes place, the above mentioned Data (as well as the Data you shall provide us with, in the framework of our transaction) shall be processed for the purposes of carrying out the transaction and of our compliance with tax and other legislation, which constitute the legitimate basis of processing (art. 6§1b,c GDPR).
B.2. Data Retention Period
We shall keep the above under B.1.(a) Data for one (1) year and afterwards we shall erase them. Regarding the above under B.1.(b) Data, they shall be reserved for as long as it is necessary according to tax or other legislation.
(C) OUTGOING ERASMUS+ STUDENTS and POTENTIAL MEMBERS
C.1. Nature - Legitimate Basis
(a) The purpose of processing your Data (that is, indicative, your full name, e-mail address, telephone number, address, Facebook profile, HEI, field of studies, information regarding your question/problem etc.), obtained via any means of communication (e.g. filling a contact form on our websites, direct sending e-mail, direct sending a Facebook/Messenger message), is to provide help and information on the events and activities, as well as to evaluate your possible recruitment by ESN UK and/or its local sections upon your relative consent, which is the legitimate basis of process (art. 6§1a GDPR); both purposes identify with our legitimate interest (art. 6§1f GDPR) to pursue our legal statutory goals & objectives, such as promoting mobility towards native students, cultivating multiculturalism and seeking the growth of our network of volunteers via recruitment.
(b) In case that any form of transaction with ESN UK and/or its local sections takes place, the above mentioned Data (as well as the Data you shall provide us with, in the framework of our transaction) shall be processed for the purposes of carrying out the transaction and of our compliance with tax or other legislation, which constitute the legitimate basis of processing (art. 6§1b,c GDPR).
C.2. Data Retention Period
We shall keep the above under C.1.(a) Data for one (1) year and afterwards we shall erase them. Regarding the above under C.1.(b) Data, they shall be reserved for as long as it is necessary according to tax or other legislation.
(D) PARTICIPANTS IN ACTIVITIES/ EVENTS
D.1. Nature - Purpose
(a) Along with the Data under B.1. or C.1. for incoming exchange and outgoing native students respectively, depending on the nature of the respective activity/ event taking place, we may ask you to provide us with data concerning your health (e.g. possible allergies), in order to allow & guarantee your safe participation.
(b) Furthermore, it is possible that we record the activity/event in video and/or in images (photos) for the purpose of showcasing our work and capturing memorable moments of activities/events/actions of ours.
D.2. Legitimate Basis
Your consent upon registering to the respective activity/event is the lawful basis for processing your data concerning health, according to art. 9§2a GDPR, whereas the above mentioned recording of the respective activity/event falls under our legitimate interest (art. 6§1f GDPR) to pursue our statutory goals & objectives, including promotion of mobility & multiculturalism via organising activities, events and/or conferences of educational, scientific, cultural, sports and/or entertaining content.
D.3. Data Retention Period
We shall keep the above under D.1.(a) Data for one (1) year and afterwards we shall erase them. The Data under D.1.(b) are expected to be kept for an indefinite period, unless there is a good reason to protect an individual's personal data which supersedes our legitimate interest claim, upon the exercise of your rights under 3.1-3.6.