Data Protection Policy

This policy applies to anyone who has access to ERRC paper files, including archived documents, to anyone with an ERRC email account, and to anyone with access to the ERRC’s server.

This policy is designed to ensure that the ERRC complies fully with national and European Union rules on data protection. Vivien Brassói (vivien.brassoi@errc.org) is the ERRC’s Data Protection Officer. Employees and long-term consultants must follow any indications given to them by the Data Protection Officer falling within the scope of this policy, even if she is not their direct supervisor.

We hold three types of information:

• Organisational information. This includes publicly available information about the ERRC, such as our annual audited accounts which are available on our website. It also includes some confidential information. Such organisational information is not covered under this policy, unless it also qualifies as personal data or sensitive personal data. We have separate, internal rules on confidential organisational information.
• Personal data. This includes information about individuals such as names, address, and job titles. We hold personal information about ERRC employees, people who donate money to us, and our cooperation partners, such as consultants, lawyers, staff at NGOs, litigants and witnesses in legal cases we are supporting, and people who are subjects of research we have conducted. Personal data is covered by this policy.
• Sensitive personal data. This includes information about a person’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. For example, information that a given person is of Romani ethnicity is sensitive personal data. We hold sensitive personal information about some employees and consultants who work with us, some donors and supporters, and about cooperation partners, including litigants in cases and people who agree to be interviewed for research purposes. Sensitive personal data is covered by this policy.

It is a legal requirement that people know what we are doing with their information and with whom it will be shared.

We will only hold information for specific purposes. We will inform people whose data we hold (‘data subjects’) what those purposes are. We will also inform them if those purposes change.

Data subjects are always entitled to access their data and ask for it to be updated. Data subjects will be able to have access within a reasonable time to information we hold about them and the purpose for which we are holding it. We seek to maintain accurate information by creating ways in which data subjects can update the information we hold about them.

Data subjects have the option not to receive promotional mailings from us or other organisations.

Subject to any rules of the organisation awarding us funding, personal data or sensitive personal data will not be retained once it is no longer required for its stated purpose, and we will not keep more than a project requires or surplus information ‘just in case’. We delete or destroy personal data and sensitive personal data when it is no longer required.

At the beginning of any new project or type of activity, the member of staff managing it will consult the Data Protection Officer about any data protection implications.

There may be situations where we work in partnership with other organisations on projects which require data sharing. We will clarify which organisation(s) is/are responsible for the data and will ensure that the organisation and person or people responsible deals correctly with any data which we have collected.

Paper records containing personal data or sensitive personal data are kept in locked filing cabinets and only accessed when needed. When papers containing personal data or sensitive personal data are no longer needed, they are destroyed securely, using a shredder. 

Electronic files are kept on drives on the ERRC’s secure cloud server; access to those drives is restricted to those employees, long-term consultants, and volunteers who need it. Email accounts, individual document storage, and access to our server are password protected. All those with access are required to use strong passwords. The Data Protection Officer instructs the ERRC’s IT support to regularly test staff passwords for strength. We only store personal data or sensitive personal data on those drives to which access is limited to those who need access to that data. We do not email personal data or sensitive personal data to individuals who do not need to have access to that data, and we delete personal data and sensitive personal data from our emails when it is not or no longer needed for our work. When those with ERRC email accounts end their relationship with the ERRC, their email accounts are closed and archived, and the archives are stored securely.

We make sure all portable devices, such as memory sticks and laptops, used to store personal data or sensitive personal data are encrypted. Staff are prohibited from storing personal data or sensitive personal data on personal laptops, memory sticks, or other devices, or placing them on insecure servers. Employees and long-term consultants may only access the ERRC’s secure cloud server through a secure connection and may not copy or store materials from that cloud server onto any other server or device.

We always process personal data and sensitive personal data when there is a legal requirement for us to do so. Otherwise, we process personal data and sensitive personal data about particular individuals as follows:

Litigants and witnesses in legal cases. The ERRC endeavours to secure written agreement from litigants and witnesses whenever possible explaining how their personal data and sensitive personal data will be processed, and to secure written consent to that processing. We also secure consent to process litigants’ personal data and sensitive personal data by securing written consent to act on their behalf in litigation (e.g. by obtaining a signed application form for the European Court of Human Rights). The ERRC will also process the personal data of litigants in order to protect their vital interests in respect of litigation in which those litigants have agreed to participate. The ERRC considers that we have a fundamental interest in processing personal data to the extent necessary to ensure the successful litigation of legal claims and, where there is no other basis for processing personal data, we will balance this fundamental interest against the rights of the individuals concerned. Personal data and sensitive personal data about litigants and witnesses in legal cases are maintained in two places: paper and electronic files. Paper files are kept in locked cabinets which are accessible to members of the legal team and administrative staff who assist them. Electronic files are saved on drives and email accounts which are only accessible to staff, consultants, and volunteers who need to have access to the relevant information. Processing of personal data and sensitive personal data of litigants and witnesses may involve: using such data in submissions to courts and similar decision-making bodies; sharing information with lawyers or NGOs with whom we have cooperation agreements in order to prepare such submissions; and preparing communications materials about cases. The ERRC requires cooperation partners to adhere to the same data protection standards as the ERRC. When cases are closed, paper files are stored in the ERRC’s physical archive, to which administrative staff have access, and electronic files remain in electronic folders with restricted access.

Subjects of ERRC research. ERRC research may involve collecting and even publishing personal data and sensitive personal data about people. The subjects of that data are always asked for written consent which fully explains what use will be made of the data. Such data is only made public with the express written permission of the people concerned. In relation to any other form of processing of such data, the ERRC maintains that we have a legitimate interest in processing personal data so as to ensure the scientific validity of any research we undertake; where there is no other basis for processing personal data in this category, the ERRC will balance this fundamental interest against the rights of the individuals concerned. Personal data and sensitive personal data about research subjects is maintained in two places: paper and electronic files. Paper files are kept in locked cabinets which are accessible to members of the legal team and administrative staff who assist them. Electronic files are saved on drives and email accounts which are only accessible to staff and volunteers who need to have access to the relevant information. When research matters are closed, paper files are stored in the ERRC’s physical archive, to which administrative staff have access, and electronic files remain in electronic folders with restricted access. In cases where the ERRC has an agreement with a third party to cooperate on research, such as with an NGO, the ERRC requires those partners to uphold the same data protection standards and we will only share personal data or sensitive personal data with the express permission of the data subjects. The ERRC requires cooperation partners to adhere to the same data protection standards as the ERRC.

Cooperation partners. Cooperation partners, such as lawyers and people working with NGO partners, by virtue of cooperating with the ERRC, agree to have their personal data and sensitive personal data handled by the ERRC in accordance with this policy. Agreements with cooperation partners (such as contracts and grant agreements), as well as invoices and other documents shared with us in the course of cooperation, may contain personal data and sensitive personal data about those partners. The ERRC endeavours to make clear in all agreements with partners what data will be handled and how, and to secure their consent in writing in those agreements. We will also process cooperation partners’ personal data when it is in their vital interest to do so. The ERRC maintains that we have a legitimate interest in ensuring that we can demonstrate to our funders, accountants, auditors, and to the tax authorities and others that we have spent the money entrusted to us in an appropriate and lawful manner; where there is no other basis for processing personal data in this category, we will balance this fundamental interest against the rights of the individuals concerned. Processing of this kind of data includes sharing the data with accountants and auditors whom the ERRC engages to ensure we are complying with our obligations and, if asked, sharing this data with national authorities. Data about cooperation partners is maintained in two places: paper and electronic files. Paper files are kept in locked cabinets which are accessible to members of the legal team and administrative staff who assist them, as well as the finance team. Electronic files are maintained on drives and email accounts which are only accessible to senior management, the finance team, and administrative staff who assist them. These documents may also be stored on the email accounts of those who have access to them, as attachments.

Staff and consultants (including applicants). Applications for employment and bids for consultancies which contain personal data and sensitive personal data are kept in electronic files. Electronic files are maintained on drives and email accounts which are only accessible to those involved in the recruitment or selection process. Personal data and sensitive personal data submitted in the course of recruitments or selection processes are shared with members of the recruitment or selection panel to enable them to make a decision. Privacy statements are included in job advertisements or calls for consultants, and applicants consent to having their personal data and sensitive personal data processed by submitting such applications and asking for them to be considered. We will also process personal data in this category when it is in the data subject’s vital interest. The ERRC considers that we have a legitimate interest in demonstrating to funders, auditors, or officials that all recruitment and selection processes have been in accordance with our policies, relevant laws, and agreements to which we are a party; where there is no other basis for processing personal data in this category, the ERRC will balance this fundamental interest against the rights of the individuals concerned. All files containing personal data or sensitive personal data are destroyed at the end of the recruitment process in respect of unsuccessful candidates. Those selected for employment or a consultancy will have their data shared with and stored by our finance department, in order to facilitate their contractual relationship with the ERRC. This includes data collected in accordance with our safeguarding policy. Those data are stored in paper files kept in locked filing cabinets only accessible to the finance department and in electronic form on a shared drive accessible only to the finance department and senior management.

Subscribers to the ERRC mailing list and other online followers and supporters. The ERRC uses personal data concerning those who have agreed to subscribe to the ERRC’s mailing list or to manifest their support for the ERRC online only for the purposes of maintaining contact with such individuals and offering them opportunities to support the ERRC’s work. Such information is never shared with third parties, except for third-party contractors (data processors) who enable us to engage in those activities and who, by virtue of our contractual relationship with them and by law, respect the same data protection standards we respect. The information is maintained electronically on drives only accessible to staff who need to have access to them to do their jobs. We obtain consent from subscribers and supporters online at the moment they sign up, by asking them to agree to a privacy notice they can read at the time of subscribing. The ERRC considers that we have a fundamental interest in ensuring that we maintain a vibrant, active community of committed online followers and supporters; where there is no other basis for processing personal data about online followers and supporters, we will balance this fundamental interest against the rights of the individuals concerned. 

Individual donors. The ERRC’s finance department keeps information about the identity of individual donors in order to ensure that we can show auditors and officials the origin of our funds and so that we are able to maintain a record of who has given money to us, to express our appreciation, and to provide them with information about our work. Donors are asked to provide consent for the processing of their data at the time that donations are made through data processing services (i.e. online services facilitating donations) with whom we contract, and who are required by law to respect the same data protection rules that apply to the ERRC. The ERRC considers that we have a fundamental interest in maintaining strong relationships with past donors and demonstrating the legitimacy of all donations; where there is no other basis for processing the personal data of individual donors, we will balance this fundamental interest against the rights of the individuals concerned. Information about individual donors is maintained by the finance team on a password-protected drive and in emails between the finance team and senior management.

Board members, advisory board members, and others involved in the governance of the ERRC. The ERRC processes data about those involved in the governance of the ERRC in accordance with this manual and with national law. This data is processed by the Management Assistant and the finance department, with the consent of the people concerned. We will also process such data when it is in the vital interests of the data subject. The ERRC has a legitimate interest in ensuring compliance with our own policies, notably our conflict-of-interest policy, and in assuring funders and auditors that the organisation is well-governed and spending its money in accordance with all relevant rules; where there is no other basis for processing personal data in this category, the ERRC will balance this fundamental interest against the rights of the individuals concerned.

Any staff member who is aware of a breach of any provision of this policy must inform her/his supervisor or main contact immediately in order to ensure that the appropriate rules about data breaches are followed. Failing to report a data breach may result in disciplinary action or dismissal.

Employees who have not previously received training on data protection will receive such training, and all new employees will receive training on data protection.