This privacy notice provides all the information you need about the processing of third-party personal data by the European Council on Foreign Relations (ECFR). Please note that additional and different privacy notices on processing your personal data might apply in specific cases, including if you are an ECFR employee, ECFR Trustee, ECFR Council member or if you are applying for employment at ECFR.
Who does this privacy notice apply to?
This notice is relevant to you if you are:
- A third-party recipient of our publications, including (but not limited to) policy makers, members of parliament, journalists, experts
- A donor/financial supporter to ECFR
- A prospect that we are hopeful could decide to support ECFR financially
- A supplier or a partner to deliver ECFR activities, such as events
- A consultant or sole trader working for us
- You are a participant in a ECFR poll or are interviewed for research purposed by ECFR staff
- A recipient of ECFR advocacy mails, newsletters, event invitations and media advisory
- or in other ways affiliated with us.
Who is responsible for the processing of your personal data?
This information applies to our pan-European networked organization, which includes 5 registered legal entities in France, Germany, Italy, Spain and the UK. As we operate in a highly integrated way as a single organization, ECFR legal entities are jointly responsible for the processing of your personal data according to article 26 of the GDPR and UK GDPR regulations.
ECFR legal entities, as joint controllers according to Art. 26 GDPR and UK GDPR, have amongst themselves agreed that ECFR Deutschland GmbH will take primary responsibility for complying with GDPR and UK GDPR obligations, in particular with transparency obligations and individuals’ rights.
Our contact details
If you have any questions about how we process your personal data, please address them to ECFR Deutschland GmbH or our data protection officer.
For additional information about ECFR, our activities and the details of authorized representatives, please refer to the imprint on our website.
ECFR data protection officer
ECFR Deutschland GmbH has appointed a data protection officer (DPO). In case of any queries you may contact the DPO by using the contact details above and adding “attn of the DPO” or via e-mail: [email protected]
What personal data will we process and for which purposes? Do we share any personal data for these purposes?
We will only collect and process the personal data we need to apply for and secure fundings and public grants, to manage funding contracts and to enable us to track the use of funds and report to our donors and/or public authorities as required.
Usually this will simply be your contact data – for example, your name, address, email address, telephone, mobile and affiliation. If you take part in meetings related to funding applications or ongoing grants, we will document the time, place and purpose of these meetings, as well as anything that was discussed. This may include a transcript of our conversation, so that we can report to our senior management team and our Trustees. If you are receiving payments from ECFR, we may need to document this in expense reporting to our donors for our projects or programmes; again, we will keep it to a minimum, disclosing only your name, title, affiliation and funding amount.
There is no obligation for you to provide any personal data unless otherwise stipulated in any funding agreements, or in case we are legally bound to collect this data. However, if you refuse to provide the required personal data, it may become difficult or unfeasible for us to continue with the project you are engaged with, insofar as this is required in the funding context, your personal data will be passed on to donors, auditors and public authorities.
We will collect your personal data to enable us to satisfactorily carry out our business relationship with you, whether as a supplier, service provider, consultant, or other business partner. We will only process relevant contact, contract, payment and invoice data.
Your personal data may be shared with other business partners working on the same project, insofar as necessary.
We keep a contact database of stakeholders relevant to European foreign policy as it is essential for our work to remain up to date on relevant decision-makers at national and pan European level. Apart from personal data such as your name, e-mail address, affiliation, job title and communication preferences, we also classify contacts by location, fields of interest, expertise, employer, position, department.
Newsletters, campaign mailings and event invitations
One of our main objectives as an international think-tank is to promote awareness about our publications, analyses, and other content. To this end we regularly send out newsletters, campaign mailings, event invitations and media advisory and keep a record of which mails were sent to which contacts. We aim to send these out to any contacts whom we assume to be interested in our work. We will always try to send you information we think may be interesting and relevant to your field of work. You may object to some or any of these mails at any time, simply by using the link at the bottom of each e-mail. You can also contact us using the above contact details, either by post or e-mail.
Polls and interviews
We use an extensive network of consultants and experts all over Europe to conduct research, via direct interviews or polling segments of public opinion, to draft policy reports and various publications.
All data collected from the polling and survey tools we use for our research – e.g., countries, categories of employer, personal insights – will be anonymized, although we may sometimes ask you directly to voluntarily provide your contact information so that we may gain more insight. Your personal contact information is always kept separately from any polling or survey results and cannot be correlated.
In case of more extensive interviews, our partners may record your name or position as well as take minutes of the conversation. You will always be informed about this in advance and able to withdraw your consent or object directly to our partners.
To fulfil our legal obligations, ECFR will store fiscal data – such as invoices, social security numbers, contracts, tax details – for the relevant statutory retention period (up to 10 years). During this period, this information will only be accessed by our finance department, tax accountants, tax authorities or auditors.
We may use any of the above data to document our activities and may share them with courts or law firms as and when necessary to protect our legal interests.
Who else will receive your personal data?
EU Transparency Register
As part of our obligations to transparency under funding rules by the European Union, we will publish information about ECFR activities funded with EU money in the publicly available EU Transparency Register. This may include the names of speakers, dates and topics of relevant seminars and panels carried out with the EU support.
IT service providers
Data may be accessed by service providers with whom we have agreed data processing agreements for purposes of administrating ECFR IT systems, including hosting of our website, cloud services, video conferencing or software support.
ECFR access to data
Within ECFR, your personal data will be accessed only insofar as this is required for the task at hand. Frequently this will include our central finance department and ECFR senior management, as well as select staff working on the relevant programme or project.
What is the legal basis for the processing of your personal data?
Funding and grant applications
We will process your personal data according to the funding agreement or as part of pre-contractual measures and therefore based upon article 6 (1) b of the GDPR or UK GDPR respectively. In other cases, the legal basis will be our legitimate interest in securing adequate funding and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
We will process your personal data based up article 6 (1) b of the GDPR or UK GDPR respectively where we have a contract, written or otherwise, with you or your employer or where it is part of pre-contractual measures. In other cases, the legal basis will be our legitimate interest in establishing or carrying out our business relationship and the connected purposes and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
Newsletters, media campaigns, invitations and other mailouts
If you have consented to receiving ECFR newsletters or other information relevant to ECFR work via email, the processing of your personal data will be based upon your consent and thus article 6 (1) a of the GDPR and UK GDPR respectively. In all other cases, the processing of your personal data occurs for our legitimate interest in raising awareness about our activities, events and publications and to advance our mission of furthering a constructive debate on European foreign policy at European level. The legal basis will be our legitimate interest and therefore article 6 (1) f of the GDPR or UK GDPR respectively.
Polls and interviews
Processing of personal data for these journalistic purposes takes place to further our legitimate interests in creating relevant content to engage European decision-makers and public opinion at large, the legal basis is thus article 6 (1) f of the GDPR or UK GDPR respectively.
The processing of personal data for accounting purposes takes place to fulfil our statutory obligations according to relevant national law and is thus based upon this law in connection with article 6 (1) c of the GDPR or UK GDPR respectively.
Where we process your personal data to document our work or protect our legal interests, this constitutes a legitimate interest. The legal basis is thus article 6 (1) f of the GDPR or UK GDPR respectively.
How long will we store your personal data?
We will keep your personal data for as long as it is required to fulfil the above purposes.
Information stored in personal profiles in our database is usually stored for as long as you hold your position or professional affiliation, and we assume that ECFR publications and activities are relevant to you. We carry out regular reviews to ensure that any information that becomes outdated or irrelevant is promptly removed from our database.
Insofar as statutory storage obligations exist, we must take these into account and will store your data, with access restricted, for an adequate period.
Where will your personal data be processed?
We process your personal data on dedicated IT systems and within our premises both in the European Union and the UK. We also use software and service providers who host and process personal data for ECFR both in the European Union and the UK.
While the UK is no longer part of the European Union, the European Commission has reached an adequacy decision according to article 45 of the GDPR for the UK, meaning that the level of data protection in the UK is considered to be of an adequate level.
Processing of personal data outside the EU
As a general rule the processing of your personal data will take place within the European Union (EU).
Some of our supporters and partners are based outside the EU, particularly in the USA. The legal basis for the transfer of personal data outside the EU in these cases is Art. 49 (1) b, as the transfer of your personal data is based on our contract with you, such as an employment contract or funding agreement.
Data processed by cloud service providers may in certain cases, such as support requests, be transferred to regions outside the EU. These providers we engage have agreed the so-called Standard Contractual Clauses – as published by the European Commission with their affiliates and sub processors as an appropriate safeguard according to art. 46 GDPR and UK GDPR to ensure the safety of your personal data. These Standard Contractual Clauses are available here and are valid in the Processor-to-Processor variant (module 3).
Are you obliged to provide your personal data?
There is no obligation for you to provide personal data to ECFR, unless otherwise stipulated in any relevant contracts or where we are legally obliged to collect this data. However, we may not be able to continue our collaboration with you on any given project or specific activity without the required personal data.
You have the right to information about how ECFR processes your personal data. In the case of a request for information which is not addressed to us in writing, we may ask you to provide further proof of identity.
Furthermore, you have the right to correction, deletion, or restriction of the processing of your personal data to the extent to which you are legally entitled to such rights.
You also have the right to object to the processing of your personal data within the scope of the statutory provisions, see above.
You have a right to data portability, again with the scope of the statutory provisions.
To exercise your rights, we kindly ask you to address any queries to ECFR Deutschland GmbH, either via post or email (see our contact details above).
Right to complain
You have the right to complain to the data protection supervisory authorities both in the EU and in the UK about our processing of your personal data.