This privacy notice provides information pertaining to processing of personal data by the European Council on Foreign Relations (ECFR) group. Additional and different privacy notices on processing personal data may apply in certain cases, for instance if you are an ECFR employee or if you are applying for employment at ECFR.
Who does this privacy notice apply to?
This notice applies to anybody engaging or interacting with us, such as :
- Council Members of ECFR;
- Board Members of ECFR;
- speakers, participants, or guests at one of our events;
- recipients of our publications, including but not limited to policymakers, members of parliament, journalists, and experts;
- donors/financial supporters of ECFR;
- potential financials supporters of ECFR;
- suppliers or a partners in the delivery of ECFR activities, such as events;
- consultants contracted by ECFR;
- participants in an ECFR poll or interviewees in research conducted by ECFR staff;
- recipients of ECFR advocacy mails, newsletters, event invitations, and media advisories;
- anybody in other ways affiliated with us.
Who is responsible for processing your personal data?
The European Council on Foreign Relations (ECFR) group is a pan-European networked and integrated organisation, which includes six registered legal entities in France, Germany, Italy, Spain, and the UK. ECFR legal entities are jointly responsible for the processing of your personal data according to article 26 of the GDPR and UK GDPR regulations.
ECFR legal entities, as joint controllers according to article 26 GDPR and UK GDPR, have agreed that ECFR Deutschland GmbH will take primary responsibility for ensuring compliance with GDPR and UK GDPR obligations, in particular with transparency obligations and individuals’ rights.
Our contact details
If you have any questions about how we process your personal data, please address them to European Council on Foreign Relation (ECFR) e.V., Berlin or our data protection officer.
For additional information about ECFR, our activities, and the details of authorised representatives, please refer to the imprint on our website.
ECFR data protection officer
ECFR Deutschland GmbH has appointed a data protection officer (DPO). In case of any queries, you can reach the DPO using the contact details above and adding “attn of the DPO” or via e-mail: [email protected]
What personal data will we process and for which purposes? Do we share any personal data for these purposes?
We will collect your personal data to enable us to satisfactorily conduct our business relationship with you, whether as a supplier, service provider, consultant, or other business partner. We will only process relevant contact, contract, payment, and invoice data.
Where necessary, your personal data may be shared with other business partners engaged with the same project.
If you receive payments from ECFR, we may need to document this in expense reporting to our donors for our projects or programmes. We will keep this to a minimum, disclosing only your name, title, affiliation, and the funding amount.
If you communicate with us via e-mail, the personal data transmitted with the e-mail will be stored. We will, of course, use the data from your e-mails exclusively for the purpose for which you provide them to us when contacting us.
We keep a contact database of stakeholders relevant to European foreign policy as it is essential for our work to remain up to date on relevant decision-makers at the national and the pan-European levels. We collect personal data such as your name, e-mail address, affiliation, job title, and communication preferences. We also classify contacts by location, field of interest, expertise, employer, position, and department.
Newsletters, campaign mailouts, and event invitations
One of our main objectives as an international think-tank is to promote awareness about our publications, analyses, and other content. Therefore, we regularly send out newsletters, campaign mailouts, event invitations, and media advisories. We also keep a record of which mailouts have been sent to which contacts. We aim to send these to any contacts whom we assume to be interested in our work. We will always try to send you information that we think may be interesting and relevant to your field of work. You may object to some or any of these mailouts at any time by following the link at the bottom of each e-mail. You can also contact us by post or email using the above contact details.
Polls and interviews
We have an extensive network of consultants and experts throughout Europe who conduct research, via interviews and opinion polls, to draft policy reports and various publications.
All the data collected from the polling and survey tools we use for our research – for example country, category of employer, and personal insights – will be anonymised, although we may sometimes ask you directly to voluntarily provide your contact information so that we may gain more insight. Your personal contact information is always kept separately from any polling or survey results and cannot be correlated.
In the case of more extensive interviews, our partners may record your name or position and take minutes of the conversation. You will always be informed of this in advance and will be able to withdraw your consent or object directly to our partners.
Events and meetings
In the course of hosting events, whether online or in-person, we will process your personal data to prepare, organise, and host the event. This includes your name, e-mail address, affiliation, job title, RSVP status, invitation status, whether you attend the event, as well as other contact or registration details if provided. We process these data to keep track of registrations, to allow us to keep you updated about details relating to the event (such as topics, speakers, and schedules), and to ensure a diverse and relevant audience.
Registered participants may be entered into our database so we may contact them about similar future events. If you do not want to receive event invitations from us, you may object by sending an e-mail to [email protected] or by replying to the event invitation, without incurring costs other than the basic transmission costs.
Photos, audio and video
We may take photos and recordings at our events and may use these later to report about our activities or raise awareness on our website, on social media and in other print or online formats.
If you do not wish your image to be taken or used, you may object at any time before, during, or after the event, for example, by contacting us via e-mail or otherwise using the above contact details.
We may film in-person or online events to provide them to a wider audience, for instance, by livestreaming them on our YouTube channel.
In some cases, at in-person events, we use external providers such as photographers or videographers.
Lists of participants
Usually, ECFR keeps a list with names and affiliations of confirmed participants. This list, together with the final agenda of the event, is often circulated to participants, speakers, and donors who provide funding for the event. A list of participants and their affiliation displayed at the event helps with networking – especially for smaller-scale high-level activities.
If an event is on the record, the content of the discussion and the speakers can be disclosed publicly. For sessions taking place under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speakers can and will be shared. For off-the-record events, no information on the discussion can and will be shared.
If we host an event at an external venue, such as an embassy, we may be required to share a list of registered participants with the venue prior to the event, so that the venue can implement an access checks.
We will process such data as is required to hold both online and in-person meetings. This includes your name, e-mail address, affiliation, job title and usually the date and topics of the meeting.
Online events and meetings
Use of video conferencing tools leads to the processing of various personal data, the scope of which is partly dependent on what details you enter before and during your participation in an online event.
- In case of online events, while visiting the website of the respective provider, for example Zoom, the provider is the controller and thereby responsible for processing your personal data for the duration of your visit to the website. You are not, however, obliged to visit the provider’s website other than for the initial download of the video conferencing application.
- You can use the video conferencing tools by entering the meeting ID and any other login details for the meeting directly within the application.
- If you prefer to participate without installing an application, you may use the video services in your browser via the respective website for online meetings held with Zoom or Teams. However, in this case, you will only be able to use the basic functionalities.
Zoom is a service provided by Zoom Video Communications Inc., a company based in the United States. Zoom has, however, agreed to host all the personal data processed in the course of online meetings held via Zoom exclusively on servers in the European Union.
To participate in an online meeting, you will be required to provide at least your name.
The following data will also be processed:
- User details: name, telephone (optional), e-mail address, password (if “single-sign-on” is not used), profile picture (optional), department (optional)
- Contents: topics and contents of the online meeting, including chat messages and shared files
- Metadata: topic, description (optional), participants’ IP-address, device/hardware details
- In case of optional recordings: audio, video and presentation files, text file of the online meeting chat
- If you participate via your phone: incoming and outgoing phone number, country, time of start and end of call. Additional connection data may be stored, such as the IP-address of your device.
- Text, audio and video data: If you use the chat, question, or survey tool during an online meeting, the text you enter will be used to display during the meeting and possibly to document the meeting. To enable the display of your video or broadcasting of your audio, data provided by your camera or microphone will be processed. You may mute the microphone or turn off the camera at any time within the Zoom application or in your browser.
If you are registered as a Zoom user, Zoom may store reports about online meetings containing data such as metadata, data about calling in via phone or questions, answers and surveys in webinars for up to 12 months.
Online recordings will be deleted when we no longer need to keep the recordings. As a rule, we will conduct a yearly check of which recordings can be deleted. All other meeting data will be deleted within 48 hours of the meeting’s conclusion.
Microsoft Teams is a service provided by Microsoft Ireland Operations Ltd. Microsoft is our data processor. We have agreed a data processing agreement with Microsoft, and Microsoft will store this data on servers in the UK.
The following data will be processed:
- User details: display name, e-mail address (optional), profile picture (optional), preferred language
- Contents: topics and contents of the online meeting, including chat messages and shared files
- Metadata: e.g., date, time, meeting-ID, phone numbers, city
- In case of optional recordings: audio, video and presentation files, text file of the online meeting chat
- Text, audio and video data: If you use the chat, question, or survey tool during an online meeting, the text you enter will be used to display during the meeting and possibly to document the meeting. To enable the display of your video or the broadcasting of your audio, data provided by your camera or microphone will be processed. You may mute the microphone or turn off the camera at any time within the Microsoft Teams application or in your browser.
Any chat contents will be logged by Microsoft Teams and stored for up to 12 months.
We may occasionally ask you to provide information in online forms or questionnaires. We use Microsoft Forms to collect this data. Microsoft Forms is a service provided by Microsoft Ireland Operations Ltd. Microsoft is our data processor. We have agreed a data processing agreement with Microsoft, and we will store this data on servers in the UK.
To fulfil our fiscal, statutory and legal obligations, ECFR will store fiscal data – such as invoices, social security numbers, contracts, and tax details – for the relevant statutory retention period (up to 10 years).
We will only collect and process such personal data from (potential) donors we need to apply for and secure funding, to manage funding contracts, and to enable us to track the use of funds and report to our donors and/or public authorities as required.
Usually this will only be your contact data, for example, your name, address, email address, telephone number, mobile number, and affiliation. If you take part in meetings related to funding applications or ongoing grants, we will document the time, place, and purpose of these meetings, as well as what was discussed. This may include a transcript of our conversation so that we can report to our senior management team and our trustees.
You are under no obligation to provide any personal data unless otherwise stipulated in any funding agreements or if we are legally bound to collect this data. However, if you refuse to provide the required personal data, it may become difficult or unfeasible for us to continue with the project you are engaged with.
Annual Council Meetings
We will require the following data from you to organise and hold our Annual Council Meeting, during which we will keep you informed about ECFR activities and involve you in discussions on ECFR strategy and governance topics.
- Job title
- RSVP status
ACM sessions are recorded for documentation purposes and to showcase the work of the Council.
General activities and meetings
We may store details, minutes or recordings of meetings you take part in.
Nominations for Council membership
Every year, we ask our Council Members and ECFR staff to suggest potential candidates for Council membership. To this end, we collect information about the nominees and present it to the ECFR Board of Trustees so that the ECFR Board can make an informed decision on the recruitment of new Council Members. The data we collect includes public information such as nominee’s name, nationality, gender, age, position, sector, and an internal opinion on reasons why a nominee would qualify for ECFR Council membership. We store this data until the ECFR Board has taken its final decision. Before contacting selected nominees, we will ask the nominator for their contact details in case these is not publicly available. We do not collect contact details of nominees who are not selected. We use Microsoft Forms to collect this data. Microsoft is our data processor. We have agreed a data processing agreement with Microsoft, and we store collected data on servers in the UK.
Contact section of our website
We will share your name, current and past positions, and your home country on our website so that we can promote awareness about the diverse composition of our Council.
Newsletters, advocacy mailings and event invitations
As our valued Council Members, we will send you e-mails about ECFR publications and activities, and invitations to events according to your interests, in order to support the mission of ECFR. You may of course let us know at any time if your areas of interest change or if there are any e-mails you would no longer like to receive from us.
Be aware that, if you click the opt-out link provided in every ECFR mail, you will stop receiving all ECFR emails sent out through our contact database.
When appointed as an ECFR Trustee, after your acceptance, we will collect the following personal data on our trustee appointment form:
- Name, surname
- Previous surname
- Residential address
- Private email
- Private phone number
- Business address
- Business email
- Business phone number
- Date of birth
- Date of appointment
We will process this personal data only so that we can correctly identify and contact you during your appointment, as well as to fulfil our legal membership obligations. Your data may be shared with public authorities should there be a legal obligation to communicate about the appointment of new Trustees.
Trustee verification of ECFR London trustees
So that you may be listed as a Trustee for our United Kingdom bank account, and therefore be granted access to this account, we are legally obliged under UK money laundering law as a UK charity to verify your identity with our bank. Upon appointment to our UK Board of Trustees, we will ask you for the following personal data:
- Place and date of birth
- Home address
- Previous address
- Length of time at address
- Personal e-mail
- Existing Barclay’s account details if any
- National Insurance number if any
- Mother’s maiden name
This will be conducted by our central Finance and Operations department. We will be required to share this data with our bank as part of the know-your-customer check.
General activities of Trustees
As part of your involvement with ECFR and your work on our Board of Trustees, we may store details, minutes, or recordings of Board meetings and of any other meetings you take part in.
Board and Annual Council meetings
We will require the following data from you to organise and hold meetings of our Board of Trustees and our ACM, during which we will keep you informed about ECFR activities and involve you in discussions on ECFR strategy and governance topics.
- Job title
- RSVP status
Contact section of our website
We will ask you for detailed information to share about you on our website so that we can promote awareness about the diverse composition of our Board – such as your name, position, photo, affiliation, past affiliations, areas of expertise, degrees, social media contact, and publications. Our website is maintained centrally by our Communications team whose members are currently based in our Berlin and Madrid offices.
Newsletters, advocacy mailings, and event invitations
As our Trustee, you will receive regular information via e-mail about ECFR publications, activities, and invitations to meetings and events in order to support the mission of ECFR. You may of course let us know at any time if you would like to receive less (or no) information or invitations to ECFR events. Be aware that, if you click the opt-out link provided in every ECFR mail, you will stop receiving all ECFR emails sent out through our contact database.
Who will receive your personal data?
EU Transparency Register
As part of our obligation to transparency under European Union funding rules, we will publish information about ECFR activities funded with EU money in the publicly available EU transparency register. This may include the names of speakers at, and the dates and topics of, relevant seminars and panels conducted with EU support.
Your participation as a speaker, moderator or participant in ECFR events, meetings, and study trips may be shared with donors to inform them about our activities.
If we assist you in making travel arrangements, such as flights or hotel bookings, any personal data required for this will be shared with service providers such as hotels, travel agents, and airlines.
IT service providers
Data may be accessed by service providers with whom we have agreed data processing agreements for the purposes of administering ECFR IT systems, including website hosting, cloud services, video conferencing, and software support.
ECFR access to data
Within ECFR, your personal data will be accessed only insofar as it is required for the task at hand. Frequently, this will include our central finance department and ECFR senior management, as well as select staff working on the relevant programme or project.
Financial data stored to fulfil our fiscal, statutory and legal obligations will only be available to our finance department, tax accountants, tax authorities, or auditors.
Auditors and public authorities
We may share personal data with auditors or tax authorities as far as this is required.
When necessary, we may use personal data to document our activities and may share them with courts or law firms as and when necessary to protect our legal interests.
We are legally required to share details about our Trustees with the public authorities where ECFR is registered in the relevant member country. UK trustees’ data will also be shared with the UK Charity Commission where this is legally required.
What is the legal basis for processing your personal data?
Business relationships and e-mail communication
We will process your personal data based upon article 6 (1) b of the GDPR or UK GDPR respectively where we have a contract, written or otherwise, with you or your employer or where it is part of pre-contractual measures. In other cases, the legal basis will be our legitimate interest in communicating with you and in establishing or carrying out our business relationship and the connected purposes and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
We will process your personal data based upon our legitimate interest to keep up to date information about relevant stakeholders on file and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
Newsletters, campaign mailouts, event invitations
If you have consented to receiving ECFR newsletters or other information relevant to the work of ECFR via email, the processing of your personal data will be based upon your consent and thus article 6 (1) a of the GDPR and UK GDPR respectively. In all other cases, the processing of your personal data occurs based on our legitimate interest in raising awareness of our activities, events, and publications and to advance our mission of promoting constructive debate on European foreign policy at the European level. The legal basis will be our legitimate interest and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
Polls and interviews
The processing of personal data for these journalistic purposes takes place to further our legitimate interest in creating relevant content to engage European decision-makers and public opinion at large, the legal basis is thus article 6 (1) f of the GDPR or UK GDPR respectively.
Events and meetings
Any personal data processed as part of your registration and to carry out the event will be processed based upon article 6 (1) b GDPR or UK GDPR respectively. We also process personal data to pursue our legitimate interests to keep you posted about future events, to document and promote our events, and to gain insights into the impact of our events. In the latter cases, the legal basis will be our aforementioned legitimate interest and therefore article 6 (1) f of the GDPR or UK GDPR respectively. In those cases where you have consented to the use of your personal data, the legal basis is article 6 (1) a of the GDPR or UK GDPR.
Photography and videography
Unless you have a contract with us in which the use of photography and other recordings is regulated, or have consented to the use of images and other recordings, the legal basis will be our legitimate interests in reporting about our events and activities and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
The processing of personal data for accounting purposes takes place to fulfil our statutory obligations according to relevant national law and is thus based upon this law and article 6 (1) c of the GDPR or UK GDPR respectively.
Where we process your personal data to document our work or protect our legal interests, this constitutes a legitimate interest. The legal basis is thus article 6 (1) f of the GDPR or UK GDPR respectively.
We will process your personal data according to the funding agreement or as part of pre-contractual measures, and therefore based upon article 6 (1) b of the GDPR or UK GDPR respectively. In other cases, the legal basis will be our legitimate interest in securing adequate funding and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
We will process your personal data as far as it is required within the context of your membership of the ECFR Council according to our Articles of Association and therefore based upon article 6 (1) b of the GDPR or UK GDPR respectively.
The legal basis for the collection of the personal data of Council nominees is our legitimate interest in conducting an informed recruitment process for the ECFR Council, and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
The processing of your personal data for the purpose of sending you newsletters, advocacy mailouts, and event invitations may also be based upon our legitimate interest to involve you in ongoing ECFR activities and further your support of and involvement with ECFR and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
We will process your personal data as far as it is required within the context of your appointment to the Board of Trustees according to our Articles of Association and therefore based upon article 6 (1) b of the GDPR or UK GDPR respectively. The processing of your personal data for the purpose of sending you newsletters, advocacy mailouts, and event invitations may also be based upon our legitimate interest to involve you in ongoing ECFR activities and further your support of and involvement with ECFR and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
In all other cases, the legal basis is article 6 (1) b of the GDPR or UK GDPR respectively where we have a contract or agreement with you, article 6 (1) c of the GDPR or UK GDPR respectively if we are processing data due to our legal obligations, article 6 (1) a of the GDPR or UK GDPR respectively if you have consented to the use of your data, or it may be based on our legitimate interest in the context of our general organisational objectives and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
How long will we store your personal data for?
We will keep your personal data for as long as it is required to fulfil the above purposes.
Information stored in personal profiles in our database is usually kept for as long as you hold your position or professional affiliation, and we assume that ECFR publications and activities are relevant to you. We carry out regular reviews to ensure that any information that becomes outdated or irrelevant is promptly removed from our database.
Insofar as statutory storage obligations exist, we must take these into account and will store your data, with access restricted, for an adequate period.
If you are in our database or we enter you into our database, we will usually store information about the event there, such as the fact that we invited you or that you registered or took part in an event. Information stored in personal profiles in the database is usually stored for as long as you hold your position or affiliation and we assume that ECFR activities are relevant to you. We conduct regular reviews to ensure that if information becomes outdated or outlives its purpose, it is removed from our database.
Online meeting recordings may be stored both on our servers or on servers hosted by the respective provider and will be deleted when we no longer need to keep the recordings. As a rule, we conduct a yearly check of which recordings can be deleted.
We will store lists of participants in ECFR events internally and delete them when they are no longer required for our documentation of the event. Usually lists of participants will be deleted within ten years of the project ending.
Where specific retention periods apply related to personal data processed by the respective video conferencing tools, we kindly ask you to refer to the information provided above for the relevant software tools.
We will keep your personal data for as long as it is required to fulfil the above purposes. Usually this will be the period of your appointment as a Council Member. After your Council membership expires, we will ask you to join our Council alumni community and, if you agree, keep your contact details.
We store data of nominees until the ECFR Board of Trustees has taken its final decision, as described above.
We will keep your personal data for as long as it is required to fulfil the above purposes. Usually, this will be the period of your appointment as a Trustee.
Where will your personal data be processed?
We process your personal data on dedicated IT systems and within our premises both in the EU and the UK. We also use software and service providers who host and process personal data for ECFR both in the EU and the UK.
While the UK is no longer part of the EU, the European Commission has reached an adequacy decision according to article 45 of the GDPR for the UK, meaning that the level of data protection in the UK is considered to be of an adequate level.
Insofar as donors or prospects are based outside the EU, your personal data detailed above may be transmitted to these countries. Where no adequacy decision by the European Commission exists, as is the case for countries like the United States, the level of data protection may not be on a par with that provided by the GDPR. In particular, foreign authorities may be able to access your personal data, and you may not be able to ensure legal recourse. In these cases, the transfer of your personal data, while being kept to a strict minimum, will be based on the contract you enter into as part of your registration for the event or required in the context of your membership of the ECFR Council or your appointment to the Board of Trustees and thus occur based on the legal derogation of Art. 49 (1) lit. b GDPR.
Data processed by cloud service providers may in certain cases, such as support requests, be transferred to regions outside the EU. The providers we contract have agreed the standard contractual clauses – as published by the European Commission with their affiliates and sub processors as an appropriate safeguard according to article 46 GDPR and UK GDPR to ensure the safety of your personal data. These Standard Contractual Clauses are available here and are valid in the processor-to-processor variant (module 3).
Are you obliged to provide your personal data?
You are under no obligation to provide personal data to ECFR unless otherwise stipulated in any relevant contracts or where we are legally obliged to collect this data. For instance, you are obliged to provide any personal data we are required by law to collect, such as personal data needed to verify you with our bank or agreed in our contract with you, for example to identify you as a Trustee.
However, even where you are not obliged to provide personal data, we may not be able to continue our collaboration with you on any given project or specific activity without the required personal data.
You have the right to information about how ECFR processes your personal data. In the case of a request for information which is not addressed to us in writing, we may ask you to provide further proof of identity.
Furthermore, you have the right to correct, delete, or restrict the processing of your personal data to the extent to which you are legally entitled to such rights.
You also have the right to object to the processing of your personal data within the scope of the statutory provisions, see above.
You have a right to data portability, again within the scope of the statutory provisions.
To exercise your rights, we kindly ask that you address any queries to ECFR Deutschland GmbH, either by post or email (see our contact details above).
Right to complain
You have the right to complain to the data protection supervisory authorities both in the EU and in the UK about our processing of your personal data.