Data Protection Policy

This policy applies to anyone who has access to the ERRC’s office and/or paper archive, to anyone with an ERRC email account, and to anyone with access to the ERRC’s server (in the office or through a virtual private network).

This policy is designed to ensure that the ERRC complies fully with national and European Union rules on data protection. The Managing Director, Adam Weiss (adam.weiss@errc.org) is responsible for the implementation of this policy. Staff members must follow any indications given to them by the Managing Director falling within the scope of this policy, even if the Managing Director is not their direct supervisor.

We hold three types of information:

  • Organisational information. This includes publicly available information about the ERRC, such as our annual audited accounts which are available on our website. It also includes some confidential information. Such organisational information is not covered under this policy, unless it also qualifies as personal data or sensitive personal data. We have separate rules on confidential organisational information.
  • Personal data. This includes information about individuals such as names, address, and job titles. We hold personal information about ERRC employees, people who donate money to us and our cooperation partners, such as consultants, lawyers, staff at NGOs, litigants and witnesses in legal cases we are supporting, and people who are subjects of research we have conducted. Personal data is covered by this policy.
  • Sensitive personal data. This includes information about a person’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences. For example, information that a given person is of Roma ethnicity is sensitive personal data. We hold sensitive personal information about some employees and consultants who work with us, some donors and supporters, and about cooperation partners. Sensitive personal data is covered by this policy.

We will not hold information about individuals without their knowledge and consent. It is a legal requirement that people know what we are doing with their information and with whom it will be shared.

We will only hold information for specific purposes. We will inform people whose data we hold (‘data subjects’) what those purposes are. We will also inform them if those purposes change.

Data subjects are always entitled to access data about themselves and ask for it to be updated. Data subjects will be entitled to have access to information held about them by us and for what purpose within a reasonable time. We will seek to maintain accurate information by creating ways in which data subjects can update the information we hold about them.

Information about data subjects will not be disclosed to other organisations or to individuals who are not members of our organisation, staff, or trustees except in circumstances where this is a legal requirement, where there is explicit or implied consent, or where information is already publicly available.

Subject to any rules of the organisation awarding us funding, information will not be retained once no longer required for its stated purpose, and we will not keep more data than a project requires or surplus information ‘just in case’. We delete personal data when no longer required.

At the beginning of any new project or type of activity the member of staff managing it will consult the Managing Director about any data protection implications.

There may be situations where we work in partnership with other organisations on projects which require data sharing. We will clarify which organisation(s) is/are responsible for the data and will ensure that the organisation and person or people responsible deal correctly with any data which we have collected.

Paper records containing personal data or sensitive personal data are kept in locked filing cabinets and only accessed when needed. When papers containing personal data or sensitive personal data are no longer needed, they are destroyed securely, using a shredder located in our office.

Electronic files are kept on drives on the ERRC’s in-house server, which is located in the ERRC’s office; access to those drives is restricted to those who need it. IT equipment (including the ERRC’s server) is kept in a looked room which is only opened when needed; access to that room is restricted. A back-up is kept in a secure location off-site and is regularly replaced. Email accounts and individual document storage is password protected. All staff are required to use strong passwords. The Managing Director instructs the ERRC’s IT support regularly to test staff passwords for strength. We only store personal data or sensitive personal data on drives to which access is limited to those who need access to that data. We do not email personal data or sensitive personal data to individuals who do not need to have access to that data, and we delete personal data and sensitive personal data from our emails when it is not or no longer needed for our work. When those with ERRC email accounts end their relationship with the ERRC, their email accounts are closed and archived onto CD-ROMS, which are stored securely.

We make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted. Staff are prohibited from storing personal data or sensitive personal data on personal laptops, memory sticks, or other devices that are not the property of the ERRC. Staff are also prohibited from placing them on insecure ‘cloud’ servers. Staff working from outside the office may only access the ERRC’s server on ERRC equipment using the ERRC’s virtual private network.

Litigants and witnesses in legal cases. It is necessary for the establishment, exercise, or defence of legal claims for the ERRC to process the personal data and sensitive personal data of litigants and witnesses in cases the ERRC is supporting. The ERRC endeavours to secure written agreement from litigants and witnesses whenever possible explaining how their data will be processed. Personal data and sensitive personal data about litigants in legal cases is maintained in two places: paper and electronic files. Paper files are kept in locked cabinets which are accessible to members of the legal team and administrative staff who assist them. Electronic files are saved on drives and email accounts which are only accessible to staff and volunteers who need to have access to the relevant information. In cases where the ERRC has an agreement with a third party to cooperate in litigation, such as a lawyer or an NGO, the ERRC will share personal data and sensitive personal data as necessary to establish, exercise, or defend the legal claims involved. When cases are closed, paper files are stored in the ERRC’s physical archive, to which administrative staff have access, and electronic files remain in electronic folders with restricted access. Litigants’ and witnesses’ personal data and sensitive personal data may also be shared with cooperation partners, to the extent necessary to allow for the establishment, exercise, or defence of legal claims. The ERRC requires cooperation partners to adhere to the same data protection standards as the ERRC.

Subjects of ERRC research. ERRC research may involve collecting and even publishing personal data and sensitive personal data about people. The subjects of that data are always asked for written permission which fully explains what use will be made of the data. Such data is only made public with the express written permission of the people concerned. Personal data and sensitive personal data about research subjects is maintained in two places: paper and electronic files. Paper files are kept in locked cabinets which are accessible to members of the legal team and administrative staff who assist them. Electronic files are saved on drives and email accounts which are only accessible to staff and volunteers who need to have access to the relevant information. When cases are closed, paper files are stored in the ERRC’s physical archive, to which administrative staff have access, and electronic files remain in electronic folders with restricted access. In cases where the ERRC has an agreement with a third party to cooperate on research, such as with an NGO, the ERRC requires those partners to uphold the same data protection standards and will only share personal data or sensitive personal data with the express permission of the people concerned. The ERRC requires cooperation partners to adhere to the same data protection standards as the ERRC.

Agreements with cooperation partners. Cooperation partners, such as lawyers and those working with NGOs, by virtue of cooperating with the ERRC, agree to have their personal data and sensitive personal data handled by the ERRC in accordance with this policy. The ERRC endeavours to make clear in all agreements with partners what data will be handled and how. Agreements with cooperation partners (such as contracts and grant agreements) may contain personal data and sensitive personal data about those partners. These agreements are maintained in two places: paper and electronic files. Paper files are kept in locked cabinets which are accessible to members of the legal team and administrative staff who assist them, as well as the finance team. Electronic files are maintained on drives and email accounts which are only accessible to senior management, the finance team, and administrative staff who assist them. These documents may also be stored on the email accounts of those who have access to them, as attachments. Such agreements and documents related to them may be shared with auditors and donors in accordance with the ERRC’s legal obligations.  

Recruitment of staff and consultants. Applications and bids which contain personal data and sensitive personal data are kept in two places: paper and electronic files. Paper files are in the possession of the members of the recruitment or selection panel and administrative staff assisting them. Electronic files, likewise, are maintained on drives and email accounts which are only accessible to those involved in the recruitment process. All paper and electronic files containing personal data or sensitive personal data are destroyed at the end of the recruitment process; paper documents are shredded and electronic documents are permanently deleted.

The ERRC mailing list and other lists of online followers and supporters. The ERRC uses personal data concerning those who have agreed to subscribe to the ERRC’s mailing list or to manifest their support for the ERRC online only for the purposes of maintaining contact with such individuals and offering them opportunities to support the ERRC’s work. Such information is never shared with third parties, except for third-party contractors who enable us to engage in those activities and who, by virtue of our contractual relationship with them and by law, respect the same data protection standards we respect. The information is maintained electronically on drives only accessible to staff who need to have access to them to do their jobs.

Signs in our office remind staff to respect data protection and to dispose of confidential data appropriately.

Staff members and long-term consultants who have not previously received training on data protection will receive such training, and new staff will receive training on data protection.

donate now

Challenge discrimination, promote equality

be informed

Receive our public announcements Receive our Roma Rights Journal

news portal

The latest Roma Rights news and content online

join us

Become a part of the ERRC's activist network in Europe