REF SP Privacy Policy - Roma Education Fund

The Privacy Notice of the Roma Education Fund

Dear Scholarship Applicant,
Please note that this is non-official translation of the Roma Education Fund’s privacy notice. It serves for information purposes only. Official translation in your local language is going to be be available soon.

Table of Content

I. GENERAL PART

Introduction
Definitions
Who is the data controller?
What are the fundamental principles to data processing?
Is any processor involved? If so, under what conditions?
What measures does REF apply to guarantee the security of the personal data processed?
In what cases may personal data be transferred to third parties?
What are the rights of the data subject and how can they be enforced?

8.1 The information of the data subject

8.2 The rectification and erasure of personal data

8.3 The right to data portability

8.4 Right to the restriction of processing

8.5 The right to object to the processing of personal data

8.6 The rights of the data subject related to automated decision-making

8.7 The right to withdraw the consent given

8.8 Other issues regarding the exercise of the data subject rights

What are the consequences of unlawful data processing?

II. DATA PROCESSING ACTIVITIES CARRIED OUT BY THE ROMA EDUCATION FUND

Processing activities related to advocacy
Processing related to communication activities
Processing activities related to financial activities
Processing activities related to provide grants
Processing activities related to researches conducted by REF
Processing activities related to provide scholarships
Processing activities related to use REF’s Website

I.General part

1. Introduction

The Roma Education Fund (hereinafter: “REF”) finds it important to safeguard and enforce the rights related to data processing of data subjects. REF processes the personal data of data subjects based on the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [the “GDPR”]), Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (the “Privacy Act”) and other provisions of the law relevant to data protection (listed in detail in the Definitions).

This Privacy Notice relates only to the data processing practices of REF Hungary, as described in Section “Data processing activitiescarried out by REF”. The Privacy Notice does not cover the data processing activities of other REF entities. List of REF network and portfolio countries are available at the bottom of the following link: https://www.romaeducationfund.org/.

2. Definitions

The following terms used frequently in this Privacy Notice shall have the meanings provided below:

Set of data: The totality of data processed within the same record.

Data processing by a processor: the performance of technical and technological tasks related to data processing operations, regardless of the method or means applied for or the place of the implementation of the operations.

Processor: The natural person or legal entity or the organisation without legal personality which processes data based on its contract concluded with REF.

Media: The device used for the presentation of the data, including documents. Hard copy or magnetic media, including but not limited to document, magnetic disk, USB drive/stick, CD, DVD, magnetic tape, Winchester (Hard Disk Drive), video tape, audio tape.

Data processing by the controller: Any operation or the totality of operations performed on data, regardless of the procedure applied, including but not limited to the collection, recording, systemization, storage, alteration, use, retrieval from a public or private database, transfer, publication, alignment or combination, erasure and destruction and the prevention of any future use of data, taking photos, making audio or video recordings.

Controller: The natural or legal person or organisation without legal personality which, alone or jointly with others, determines the purposes of the processing of data, makes and implements or appoints a processor to implement decision relevant to the processing of data (including the means to be applied).

Destruction: The total physical destruction of the media containing the data, as a result of which, the data is no longer accessible to REF or anyone else.

Data transfer: The process by which the personal data is made accessible to a uniquely identified third person.

Erasure: The process of rendering makes it impossible to recognise data in a way that it can never again be restored.

Applicable legal rules: REF performs its data processing activities with regard to the following provisions of law:

GDPR
Privacy Act.

Act IV of 2013 on the Civil Code (the “Civil Code”)

Act C of 2000 on Accountancy (the “Act on Accountancy”)

Pseudonymisation: The processing of personal data in such a manner (e.g. replacement with ID) that the personal data can no longer be attributed to a specific data subject without the use of additional information (e.g. description of the method and procedure for establishing the connection between the personal data and the identifier used instead of it), provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Anonymisation: A technical procedure ensuring that the connection between the data subject and the personal data may no longer be restored.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing by REF in the future.

Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person (e.g. face or fingerprint), which allow or confirm the unique identification of that natural person or confirm the result of a previous identification.

Recipient: a natural or legal person, public authority, or another body, to which the personal data are disclosed, whether a third party or not.

Health Data: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Data subject: any natural person who is or may be, whether directly or indirectly, identified based on any personal data, including applicants, beneficiaries, website visitors, etc.

Supervisory Authority: an independent public authority which is established in the applicable legal rule of a Member State to verify compliance with the data protection rules, which in Hungary is the National Authority for Data Protection and Freedom of Information (hereinafter: “NAIH”).

Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

REF’s Website: https://www.romaeducationfund.org/

Third country: Any country other than the Member States of the European Union or the Member States of the European Economic Area (EEA) (Iceland, Norway and Liechtenstein). Most of REF network and portfolio countries are also third countries.

Third party: a natural or legal person, public authority or organisation without legal entity, other than the data subject, the controller or the processor.

Consent: Any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him/ her being processed fully or to the extent of specific operations. If data subject is under age of sixteen, consent shall be given and revoked only by all parents or persons who exercise legal custody rights over the children.

Document: Any text, series of figures, sketch, graph or diagram. Unless otherwise provided, the rules relevant to documents shall be duly applied to audio and video recordings.

Grantee: Non-individuals which receives grant from REF.

Close relative: Spouse, lineal descendant, adopted child, stepchild or foster child, adoptive parent, stepparent or foster parent or sibling of the data subject.

Special data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Mentee: A natural person who is selected to receive grant directly from REF and is provided support in his / her resilience to challenges in secondary school time.

Disclosure: The process of making data available to the public.

Profiling: Any form of automated (without human intervention) processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person (e.g. performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements).

Marking of personal data: The assignment of an identifier to personal data so that it may be distinguished from other data in the future. Marking is mandatory, if the employee challenges the correctness or accuracy of the personal data.

Personal data: Any and all data related to the data subject, with special regard to his/her name, identification No., one or more physical, physiological, mental, economic, cultural or social identifier(s) and any conclusion which may be drawn from any of the foregoing for the data subject.

Natural person: any living person who may be the holder of personal rights, including the protection of personal data.

Objection: A statement made by the data subject (whether orally or in writing) to object to the processing of his/her personal data by REF or to request the termination of data processing or the deletion of the data processed.

Tutee: A natural person who is selected to receive grant directly from REF and is provided support in mastering their academic achievements covering the subjects that he/ she is in need of improvement.

3. Who is the data controller?

Name: Roma Education Fund

Principal Office: H-1139 Budapest, 99 Váci str

Registration No: 01-01-0009793

Tax Registration No: 18121386-1-41

Name of the Data Protection Officer: Marko Pecak

E-mail address of the Data Protection Officer: mpecak@romaeducationfund.org

4. What are the fundamental principles to data processing?

Personal data shall be deemed to be personal data as long as it can be attributed to the data subject. Personal data shall be deemed to be attributable to the data subject, if the technical conditions necessary to establish the relationship between the data subject and the data are actually available to REF, i.e. it can identify the data subject based on the data.
REF may process personal data exclusively in compliance with the provisions of the laws (the applicable legislation is listed under “Definitions”) of the European Union and Hungary (principle of lawfulness).

REF lays increased emphasis on ensuring that the data processing operations performed by REF should be clear, transparent (principle of transparency) and fair (not misleading) to both the data subject and REF. As for the data subjects, REF provides for meeting the requirement of transparency by publishing, keeping up to date and continuous availability hereof and, within its organisation, by means of the up-to-date records of data processing operations.

REF shall process the personal data of data subjects exclusively for the purposes defined in Section “Data processing activities carried out by REF” (principle of purpose limitation). REF shall promptly inform the data subject in the event of a new purpose of data processing.
REF shall only process personal data which are essential and suitable for realizing the purpose of processing (principle of data minimisation).
REF shall process personal data only to the extent and for the length of time essential for realizing the purpose of processing (principle of storage limitation).

REF shall ensure that the data processed should be accurate, complete and, if it is necessary for the purpose of processing, kept up-to-date and that the data subject may be identified only as long as it is absolutely necessary for the purpose of processing by means of rectification performed by REF or initiated by the data subject following the discovery of any inaccuracy (principle of accuracy).
REF shall safeguard the confidentiality of and prevent any unauthorized access to the personal data processed by REF (principle of confidentiality).

5. Is any processor involved? If so, under what conditions?

The rights and obligations of the processor involved by REF related to the processing of personal data are determined by REF in the data processing agreement concluded with the processor in writing with regard to the provisions of the GDPR, the Privacy Act. and separate legal rules pertaining to data processing. REF is responsible for the lawfulness of the instructions given to the processor.
The processor may involve other processor(s) to perform its activities, subject to the provisions formulated by REF.

The processor may not make any decision on the merits of the processing, may process the personal data disclosed to it exclusively in accordance with the instructions of REF, may not use any personal data for its own purposes, is obliged to store and preserve personal data as required by REF, and irrevocably delete or destroy them or return them to REF upon the termination of the data processing.

The individual processors and their respective activities are described in detail in the section titled “Data processing operations of REF”.

6. What measures does REF apply to guarantee the security of the personal data processed?

REF shall plan and implement processing operations in a manner ensuring the highest level of protection of the privacy of the data subject in the course of the application of the GDPR, the Privacy Act and other rules relevant to data processing.
REF and, within its scope of activity, the processor involved by REF shall duly provide for the safety of data and take any technical and organisational measures and develop any rules of procedure which may be necessary for the enforcement of the GDPR, the Privacy Act. and other rules governing privacy and confidentiality.

REF shall protect data by appropriate measures, such as encryption or anonymization (SSL or TLS), in particular against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be rendered inaccessible due to any changes of the applied technique.

Unless otherwise permitted by the law, REF shall apply appropriate technical solutions to protect the data processed electronically in its various records against being directly connected with each other or attributed to the data subject.
Should REF apply an automated decision-making system to process personal data, including but not limited to profiling, REF and the processor shall take additional measures in order to
- prevent any unauthorized entry of data;
- prevent the use of the automated data processing systems by any unauthorized persons by means of any data transfer equipment;
- check and identify the recipients which the personal data have been or may be transferred to by means of any data transfer equipment;
- check and determine what personal data have been entered into the automated data processing system, when and by whom;
- ensure the restorability of the systems installed in the event of a breakdown and
- provide for the preparation of a report of any defects arising in the course of automated processing.
REF and the processor shall determine and apply the measures ensuring the safety of data due with regard to the state of the art. REF shall select from several possible processing solutions the one guaranteeing the higher level of protection, unless that would involve unreasonable difficulty for REF.

REF draws the attention of the data subjects to the risks posed by the open Internet, which are beyond REF’s control (for example, unauthorized access to user names and passwords), for which REF assumes no responsibility whatsoever.
Furthermore, REF is not responsible for the security risks of accessing content accessible through any link on its pages, since REF has no control over the content accessed through the links or the data security measures applied by the sites accessible through the links.

7. In what cases may personal data be transferred to third parties?

Personal data may be transferred to third parties, i.e. parties other than the data subject, REF or the processor, based on the express consent of the data subject or if it is permitted by the GDPR.
According to the effective privacy legislation, data transfers directed at an EU Member State shall be regarded as a data transfer within Hungary. REF will transfer personal data to non-EEA countries (third countries) only based on the express consent of the data subject or if the proper level of protection of the personal data is guaranteed in the third country. The proper level of protection of personal data shall be deemed to be guaranteed if it has been established by a binding legal act of the European Union (the list of the countries the privacy regulations of which have been found to be appropriate by the European Commission is available at the link https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en” \l “dataprotectionincountriesoutsidetheeu).

Personal data may be forwarded to non-EEA countries in the absence of the consent of the data subject or a decision on the adequacy of the destination country in the following cases:

Without a separate permission by the supervisory authority

based on binding corporate rules,
if the general terms and conditions adopted by the European Commission (and available at the following website) are applied,
if the general terms and conditions approved by the supervisory authority and the European Commission are applied,
a Code of Conduct is applied,
if certification is applied.

With the permission of the supervisory authority, provided that the terms and conditions of the contract concluded between REF or the processor and the controller or processor within the third country or the international organisation or the recipient of the personal data are applied.
In the event of the specific situations described below:

the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards,
the transfer is necessary for the performance of a contract between the data subject and REF or the implementation of pre-contractual measures taken at the data subject’s request,
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between REF and another natural or legal person,
the transfer is necessary for important reasons of public interest,
the transfer is necessary for the establishment, exercise or defence of legal claims (e.g. an adversarial or an official procedure),
the transfer is necessary in order to protect the vital interests of the data subject or of other persons (e.g. situation posing threat to human life), where the data subject is physically or legally incapable of giving consent,
the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

8. What are the rights of the data subject and how can they be enforced?

The data subject may contact REF at the mailing address, e-mail address or phone number provided in Section 3 to request or initiate

information on the processing of his/her personal data (right of access),
the rectification or erasure of his/her personal data,

the transfer of his/her personal data to another controller,

the restriction of the data processing,

and also to

object to the data processing,
initiate not to be subjected to automated decision-making or

withdraw his/her consent to data processing.

Within five years of the death of the data subject, the right of access, rectification, erasure, restriction and objection may be exercised by the authorized representative as specified by the data subject in his or her life. The proxy shall be forwarded to the REF. In the absence of an authorized person, the right of rectification and objection and, if the data processing was already unlawful in the life of the data subject or the purpose of data processing ceased upon the death of the data subject, the right of erasure and restriction may be exercised by the close relative of the data subject (spouse, lineal descendant, adopted child, stepchild or foster child, adoptive parent, stepparent or foster parent or sibling).

REF will call upon the authorized person or close relative who wishes to exercise the rights of the deceased to verify the death of the data subject and the date and identity of the deceased. Only the death certificate or court order establishing the fact of death can be accepted as proof of the fact and date of death; in the absence thereof, REF will not comply with the request.

8.1 The information of the data subject

The right of access does not mean the possibility of direct access to the data or to the physical or IT systems storing them, but that at the request of the data subject, REF informs him/her of whether or not it is processing his/her personal data and, if yes,

the purpose of data processing,
to whom it forwards them,
how long the data will be stored (if storage time cannot be determined in advance, the criteria for determining storage time),
the source of the data (if not collected directly from the data subject), whether automated decision-making (including profiling) is taking place, what is the logic behind it, and what is the importance of automated decision-making and the expected consequences thereof for the data subject,
whether the data are transferred to a third country or international organization; if so, under which guarantees (the scope of possible guarantees is detailed in Section 7).

At the explicit request of the data subject, REF shall provide the requested information in writing within the shortest time, but not more than one month, from the submission of the request.

For the first time, REF will make available to the data subject a copy of the processed data free of charge and thereafter against payment of the costs of making the copy.

8.2 The rectification and erasure of personal data

REF shall rectify or supplement any inaccurate personal data if the accurate personal data is available to REF; in other cases, the rectification may be carried out at the request of the data subject and after the correct information has been provided.
The personal data will be erased by REF if
- the personal data are no longer needed for the purpose for which they were collected or otherwise processed,
- the data subject has withdrawn his/her consent to the processing,
- the data subject objects to the processing based on lawful interest (as the legal ground for processing) and there are no overriding legitimate grounds for the processing,
- the personal data have been unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation provide in the law of the European Union or Hungary to which REF is subject,
- it has been so ordered by a court of law or the NAIH.

The retention period of the data is set out in Section “Data processing activities carried out by REF”.

Where REF has made the personal data public and is obliged to erase the personal data, REF, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.

REF shall mark the personal data processed, if the data subject contests the correctness or accuracy of such personal data, but the incorrectness or inaccuracy thereof may not be clearly established.
REF shall give notice of the rectification or erasure of the personal data to the data subject and every person which such data has been transferred to for the purpose of processing. Such notice may be dispensed with if this would not jeopardize the lawful interest of the data subject with regard to the purpose of the processing.

8.3 The right to data portability

The data subject may initiate that REF shall make available the personal data concerning him or her in a structured, commonly used and machine(computer)-readable format (such as an Excel or txt file) and have the right to the transmission of those data by REF to another controller directly, provided that

the processing is carried out by automated means and
the processing is based on the consent of the data subject or necessary for the performance of a contract which the data subject is a party to or for any steps requested to be taken by the data subject before the signing of such contract.

8.4 Right to the restriction of processing

REF shall restrict the processing of the personal data of the data subject if any of the following applies:

the accuracy of the personal data is contested by the data subject, in this case, the restriction will continue as long as REF checks the accuracy of the personal data,
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction by REF of the period or manner of their use instead,
REF no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
the data subject has objected to processing of personal data for the legitimate interest of REF or a third party. In this case, the processing of personal data may be restricted as long as it is verified whether the legitimate grounds of the processing override those of the data subject.

Where processing has been restricted, the personal data may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or Hungary.

The data subject who has initiated the restriction of processing shall be informed by REF before the restriction of processing is lifted.

8.5 The right to object to the processing of personal data

The data subject shall have the right to object to the processing of data relating to him/her
- if the processing or transfer of the personal data is necessary exclusively for the enforcement of the lawful interest of REF or any third party, unless it is necessary based on compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims,
- if the personal data is processed or transferred for direct marketing purposes.
REF shall examine the objection to data processing, determine whether it is justified and inform the data subject of its decision without delay but no more than 30 days from the date of submission of the request.

In the event the objection by the data subject is found justified, REF shall suspend the processing of the data, including the continued recording or the transfer of data, and give notice of the objection and the measures taken in response to the objection to each party which the personal data subject to the objection has been transferred to, who shall also provide for the appropriate enforcement of the right to objection.

If the data subject does not agree with the decision of REF or REF fails to examine the request in 30 days, the data subject may, in his/her own discretion, file a lawsuit against REF before the court of law according to his/her permanent abode or usual place of residence in 30 days calculated from the date of communication of the decision of REF or the expiry of the deadline, as applicable.

8.6 The rights of the data subject related to automated decision-making

Section II hereof provides information on whether REF employs decision-making without human intervention and in which cases. If this occurs, the following applies to the automated decision-making.

The data subject may initiate with REF that he/she should not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the automated decision-making

is necessary for entering into, or the performance of, a contract between the data subject and REF,
is authorised by a European Union or Member State law to which REF is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests,
is based on the data subject’s explicit consent, given in awareness of advance information.

However, in the cases referred to in Sections 1) and 3), REF shall grant the data subject the right to contest the decision and the right to initiate human intervention (e.g. the subsequent review of the result of the automated decision-making).

As for special categories of personal data, REF may apply automated decision-making exclusively based on the express consent of the data subject or if processing is necessary for reasons of substantial public interest, on the basis of a European Union or Hungarian law.

8.7 The right to withdraw the consent given

If the processing of personal data, including special categories of personal data, is based on the consent of the data subject, the data subject may withdraw his/her consent to data processing by sending a statement to REF using its contact details provided in Section 3 anytime, in which case REF will no longer process his/her personal data. The withdrawal of the consent shall not affect the lawfulness of any data processing operation commenced prior to the withdrawal based on the consent of the data subject.

8.8 Other issues regarding the exercise of the data subject rights

REF shall inform the data subject, without undue delay, and no later than 30 days after receipt of the request, of the action taken on his/her request for access, rectification, erasure, restriction, data transfer, object or automated decision-making. In view of the complexity of the request and the number of a requests received by REF, the time limit may be extended by a further two months, which shall be notified to the data subject by REF within 30 days of receipt of the request, stating the reasons for the delay. If the data subject has submitted the request electronically, the notice shall also be provided electronically, where possible, unless otherwise requested by the data subject.

For the information and/or action detailed in this section, REF may charge a reasonable fee, or refuse to provide the information or to take the action, only if the request is clearly unfounded or, in particular, because of its repetitive character, excessive.

In case of reasonable doubt as to the identity of the requestor, REF shall have the right to ask the requestor to verify his/her identity. Only personal information known to REF may be required to verify the identity. In its reply, REF shall set out in detail the factual and legal reasons justifying its refusal of the request.

In the event the data subject does not agree with the decision of REF, he/she may go to court and decide if he/she files an action with the regional court according to his/her permanent abode (permanent address) or usual residence (temporary address) (the regional courts of law are listed at the website http://birosag.hu/torvenyszekek).

You can find the regional court according to you permanent abode or usual residence at the website http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso.

The data subject is recommended to contact REF in the first place with any complaint concerning the processing of his/her data by REF via one of the contact details detailed in the “Who is the data controller?” section. Such complaints are investigated with due care and circumspection in every case.

Should the data subject be not satisfied with the outcome of the investigation of the complaint, he/she may file a report with the National Authority for Data Protection and Freedom of Information by using the following contact details:

Principal Office: 1125 Budapest, 22/c Szilágyi Erzsébet fasor

Mailing address: 1530 Budapest, P.O. Box 5

E-mail: ugyfelszolgalat@naih.hu

9. What are the consequences of unlawful data processing?

REF pays priority attention to ensuring that its data processing operations shall be performed in a lawful manner, i.e. with regard to the principles of data processing, for an appropriate purpose and based on an appropriate legal basis, in full compliance with the data security requirements all times.
REF is obliged to compensate the data subject for any damage caused to the data subject by the unlawful processing of his/her data or the violation of the requirements of data security.

Should REF infringe the personal rights of the data subject by the lawful processing of his/her data or by violating the requirements of data security, the data subject may also demand REF to pay general damages for such infringement.

REF shall be liable to the data subject for any damage caused by its processor, as well as any general damages for the infringement of the personal rights of the data subject by such processor.
REF shall be released of its liability to pay damages or general damages for the infringement of personal rights if it proves that the damage or the infringement of the personal right was attributable to an unavoidable cause beyond the scope of data processing. The data subject may not claim damages or general damages for the infringement of personal rights to the extent the damage or the infringement of the personal right occurred due to the intentional or grossly negligent conduct of the damaged party/data subject.

II. Data processing activities carried out by the Roma Education Fund

1.Processing activities related to advocacy

Data processing activities:	collect, store and use contact details
Purpose of processing:	to draft contracts, memorandum of understandings and disclaimers
Legal basis of processing:	legitimate interest pursued by REF
Legal basis of processing:	Section 6 Article (1) point f) of GDPR
Data processor involved in processing:	Microsoft Corporation (One Microsoft Way, Redmond, Washington 98052-6399, USA)
Data processor’s processing activities:	stores copies of executed contracts, memorandum of understandings, disclaimers
Personal data being processed:	contact data (name, e-mail address, telephone No, position held)
Data retention period:	five years after execution of contracts, of memorandum of understandings and of disclaimers
Source of data:	from partners of REF (NGOs, government entities etc.)
Name and address (if any) of recipient:	not relevant
Legal basis of data transfer:	not relevant
Data subjects:	partners’ signatories

2. Processing related to communication activities

Data processing activities:	1. editing and managing REF’s Website (Daily maintenance of REF’s visibility on national and on the international scene through publishing photographs, articles, audio- and visual products, as well as printed and digital communication brochures, posters, country factsheets, annual reports.) 2. managing information coming from https://www.romaeducationfund.org/contact-us/ 3. managing information coming from info@romaeducation.org 4. draft contract with suppliers (e.g. consultants, contractor for video or photo shooting, or for visualization) 5. video and photo-shooting during REF-related conferences 6. publish beneficiaries of scholarships’ data on REF’S Website
Purpose of processing:	1. editing and managing REF’s Website: to ensure REF’s visibility on national and international scene, making projects and REF visible, showcase successful models, contribute towards changing discriminatory attitudes and narratives about Roma 2. managing information coming from https://www.romaeducationfund.org/contact-us/: to get in touch with people interested in activities and services of REF 3. managing information coming from info@romaeducation.org: to get in touch with people interested in activities and services of REF 4. draft contract with suppliers: to conclude and execute contract 5. video and photo-shooting during REF-related conferences: to ensure REF’s visibility on national and international scene 6. publish beneficiaries of scholarships’ data on REF’S Website: to strengthen the existing transparency, increase the visibility, and promote the Roma identity of scholarship beneficiaries
Legal basis of processing:	1. editing and managing REF’s Website: consent 2. managing information coming from https://www.romaeducationfund.org/contact-us/: consent 3. managing information coming from info@romaeducation.org: consent 4. draft contract with suppliers: legitimate interest pursued by REF 5. video and photo-shooting during REF-related conferences: consent 6. publish beneficiaries of scholarships’ data on REF’S Website: REF’s legitimate interest
Legal basis of processing:	1. editing and managing REF’s Website: Section 6 Article (1) point a) of GDPR 2. managing information coming from https://www.romaeducationfund.org/contact-us/: Section 6 Article (1) point a) of GDPR 3. managing information coming from info@romaeducation.org: Section 6 Article (1) point a) of GDPR 4. draft contract with suppliers: Section 6 Article (1) point f) of GDPR 5. video and photo-shooting during REF-related conferences: Section 6 Article (1) point a) of GDPR 6. publish beneficiaries of scholarships’ data on REF’S Website: Section 6 Article (1) point f) of GDPR
Data processor involved in processing:	1. editing and managing REF’s Website: · Microsoft Corporation (One Microsoft Way, Redmond, Washington 98052-6399, USA) · country facilitators and coordinators · REF partners (NGOs) · Péter TURCSOKI (H-2314 Halásztelek, 26 II. Rákóczi Ferenc str) · Balázs VÖRÖS (H-2541 Lábatlan, 26 Gerecse str)2. managing information coming from https://www.romaeducationfund.org/contact-us/: no data processors are involved in processing 3. managing information coming from info@romaeducation.org: no data processors are involved in processing 4. draft contract with suppliers: no data processors are involved in processing 5. video and photo-shooting during REF-related conferences: no data processors are involved in processing 6. publish beneficiaries of scholarships’ data on REF’S Website: no data processors are involved in processing
Data processor’s processing activities:	1. editing and managing REF’s Website: · Microsoft Corporation (One Microsoft Way, Redmond, Washington 98052-6399, USA): stores online questionnaires · country facilitators and coordinators: obtains data through online questionnaires · REF partners (NGO’s): obtains data through online questionnaires · Péter TURCSOKI: translates communication documents (e.g. one-pager, brochure, etc.) · Balázs VÖRÖS: cleans data obtained through online questionnaires and produces analyses on all data from questionnaires 2. managing information coming from https://www.romaeducationfund.org/contact-us/: no data processors are involved in processing 3. managing information coming from info@romaeducation.org: no data processors are involved in processing 4. draft contract with suppliers: no data processors are involved in processing 5. video and photo-shooting during REF-related conferences: no data processors are involved in processing 6. publish beneficiaries of scholarships’ data on REF’S Website: no data processors are involved in processing
Personal data being processed:	1. editing and managing REF’s Website: name of students, beneficiaries and other persons participated in school, regional, national or/and international competitions and results achieved; name and image of data subjects and information about projects they are involved in, available on REF’s Website (e.g. in annual reports); any other personal data disclosed by data subject appears in stories and videos available on REF’s Website 2. managing information coming from https://www.romaeducationfund.org/contact-us/: name, contact data 3. managing information coming from info@romaeducation.org: name, contact data 4. draft contract with suppliers: name, contact data 5. video and photo-shooting during REF-related conferences: image 6. publish beneficiaries of scholarships’ data on REF’S Website: full name of beneficiary, University name, photo and short bio
Data retention period:	1. editing and managing REF’s Website: until data subject revokes consent 2. managing information coming from https://www.romaeducationfund.org/contact-us/: data are deleted after inquiry is being responded by REF 3. managing information coming from info@romaeducation.org: data are deleted after inquiry is being responded by REF 4. draft contract with suppliers: until contract is in effect 5. video and photo-shooting during REF-related conferences: until data subject revokes consent 6. publish beneficiaries of scholarships’ data on REF’S Website: as long as the student is receiving a scholarship
Source of data:	1. editing and managing REF’s Website: country facilitators and coordinators, REF partners (NGOs) 2. managing information coming from https://www.romaeducationfund.org/contact-us/: directly from data subjects 3. managing information coming from info@romaeducation.org: directly from data subjects 4. draft contract with suppliers: from contracting parties 5. video and photo-shooting during REF-related conferences: directly from data subjects 6. publish beneficiaries of scholarships’ data on REF’S Website: directly from data subjects
Name and address (if any) of recipient:	1. editing and managing REF’s Website: finished annual reports are sent to REF offices in hard copy to process data showcase success models 2. managing information coming from https://www.romaeducationfund.org/contact-us/: not relevant 3. managing information coming from info@romaeducation.org: members of REF network have access to the messages received to respond if they have the appropriate knowledge to answer the inquiry 4. draft contract with suppliers: not relevant 5. video and photo-shooting during REF-related conferences: not relevant 6. publish beneficiaries of scholarships’ data on REF’S Website: not relevant
Legal basis of data transfer:	1. editing and managing REF’s Website: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 2. managing information coming from https://www.romaeducationfund.org/contact-us/: not relevant 3. managing information coming from info@romaeducation.org: legitimate interest pursued by REF and contacting person (Section 6 Article (1) point f) of GDPR) 4. draft contract with suppliers: not relevant 5. video and photo-shooting during REF-related conferences: not relevant 6. publish beneficiaries of scholarships’ data on REF’S Website: not relevant
Data subjects:	1. editing and managing REF’s Website: students, beneficiaries and other persons participated in school, regional, national or/and international competitions; students, beneficiaries and other persons involved in REF projects 2. managing information coming from https://www.romaeducationfund.org/contact-us/: person contacting with REF 3. managing information coming from info@romaeducation.org: person contacting with REF 4. draft contract with suppliers: contacting person with contracting parties 5. video and photo-shooting during REF-related conferences: participants 6. publish beneficiaries of scholarships’ data on REF’S Website: beneficiaries of scholarships

3. Processing activities related to financial activities

Data processing activities:	1. collect, store, use and erase data to fulfil payment to suppliers 2. collect, store, use and erase data to fulfil payment to grantees 3. collect, store, use, erase and destruct data to fulfil payment of scholarships
Purpose of processing:	1. collect, store, use and erase data to fulfil payment to suppliers: fulfil payment obligation resulting from supplier contracts (payment of incoming invoices of private individuals and companies) 2. collect, store, use and erase data to fulfil payment to grantees: fulfil payment obligation resulting from grant agreements 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: fulfil payment obligation resulting from grant and scholarship agreementsAll data processed by Financial Unit are stored after the fulfilment for defence of legal claims of contracting parties.
Legal basis of processing:	1. collect, store, use and erase data to fulfil payment to suppliers: · payment to non-individuals: legitimate interest pursued by REF · payment to individuals: processing is necessary for the performance of a contract to which the data subject is party2. collect, store, use and erase data to fulfil payment to grantees: legitimate interest pursued by REF 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: · grant agreement: processing is necessary for the performance of a contract to which the beneficiary is party (if beneficiary is an individual) · scholarship agreement: processing is necessary for the performance of a contract to which the beneficiary is party The storage of data for defence of legal claim is based on REF’s legitimate interest.
Legal basis of processing:	1. collect, store, use and erase data to fulfil payment to suppliers: · payment to non-individuals: Section 6 Article (1) point f) of GDPR · payment to individuals: Section 6 Article (1) point b) of GDPR 2. collect, store, use and erase data to fulfil payment to grantees: Section 6 Article (1) point f) of GDPR 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: · grant agreement: Section 6 Article (1) point b) of GDPR (if beneficiary is an individual); Section 6 Article (1) point f) of GDPR (if beneficiary is non-individual) · scholarship agreement: Section 6 Article (1) point b) of GDPR The storage of data for defence of legal claims is based on Section 6 Article (1) point f) of GDPR.
Data processor involved in processing:	BPION Services Kft. (H-1139 Budapest, 99 Váci str, 2nd floor) SMARTSHEET, INC.
Data processor’s processing activities:	BPION Services Kft. processes data related to accounting SMARTSHEET, INC: stores executed supplier contracts, payment approval forms of REF Hungary, REF Serbia and REF Switzerland
Personal data being processed:	1. collect, store, use and erase data to fulfil payment to suppliers: · if supplier is an individual entrepreneur or a natural person: name, TX ID, social security No, seat, bank account No, mother’s maiden name, place and date of birth · if supplier is non-individual: name, address, phone No and e-mail address of the contact person 2. collect, store, use and erase data to fulfil payment to grantees: name, e-mail address, phone No of grantee’s contact person 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: · related to grants: beneficiary’s name, amount, bank account or IBAN number, SWIFT/BIC code, and grant contract ID number · related to scholarships: beneficiary’s name, amount, bank account or IBAN number, SWIFT/BIC code, and grant contract ID number
Data retention period:	1. collect, store, use and erase data to fulfil payment to suppliers: · if supplier is an individual entrepreneur or a natural person: until fulfilment of contract · if supplier is a legal person: until fulfilment of contract 2. collect, store, use and erase data to fulfil payment to grantees: until fulfilment of contract 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: · related to grants: until fulfilment of contract · related to scholarships: 1 year after collection The retention period of data stored for defence of legal claims is the limitation period, specified by the Civil Code to file a complaint against REF.
Source of data:	1. collect, store, use and erase data to fulfil payment to suppliers: supplier 2. collect, store, use and erase data to fulfil payment to grantees: grantees 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: · related to grants: beneficiaries · related to scholarships: beneficiary
Name and address (if any) of recipient:	transfer data to manage incoming and outgoing post: BPION Services Kft. (H-1139 Budapest, 99 Váci str,2nd floor)
Legal basis of data transfer:	transfer data to manage incoming and outgoing post: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR)
Data subjects:	1. collect, store, use and erase data to fulfil payment to suppliers: · if supplier is an individual entrepreneur or a natural person: supplier · if supplier is a legal person: supplier’s contact person 2. collect, store, use and erase data to fulfil payment to grantees: grantee’s contact person 3. collect, store, use, erase and destruct data to fulfil payment of scholarships: · related to grants: beneficiaries · related to scholarships: beneficiary

4. Processing activities related to provide grants

Data processing activities:	1. collect, store and erase data related to grant applications 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding 3. collect, store and erase data related to monitor use of funds and grants · includes if beneficiary is non-individual: conducting monitoring and field visits, check quarterly and final financial reports; · includes if beneficiary is individual: collecting mentee’s monthly reports and timesheets, tutee’s monthly reports and timesheets, tutor’s evaluation, tutor’s overview, tutor’s monthly report
Purpose of processing:	1. collect, store and erase data related to grant applications: to check if applicant meets eligibility requirements and evaluate application 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: to execute and fulfil grant contracts 3. collect, store and erase data related to monitor use of funds and grants and grants: to monitor proper use of funds and grants; assess how REF’s intervention influences beneficiary’s progress and what measures has to be taken into account to foster the progress; inform beneficiaries about new measures implemented to foster progress
Legal basis of processing:	1. collect, store and erase data related to grant applications: · if applicant is non-individual: legitimate interest of REF and grantee · if applicant is individual: consent of applicant 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: · if grant is received by non-individual: legitimate interest of REF · if beneficiary is individual: to execute and fulfil grant contract 3. collect, store and erase data related to monitor use of funds and grants: legitimate interest of REF
Legal basis of processing:	1. collect, store and erase data related to grant applications: · if applicant is non-individual: Section 6 Article (1) point f) of GDPR · if applicant is individual: Section 6 Article (1) point a) of GDPR exclusive data related to ethnic origin, which are processed in compliance with Section 9 Article (2) point a) of GDPR 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: Section 6 Article (1) point b) of GDPR 3. collect, store and erase data related to monitor use of funds and grants: Section 6 Article (1) point f) of GDPR
Data processor involved in processing:	1. collect, store and erase data related to grant applications: no data processors are involved 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: no data processors are involved 3. collect, store and erase data related to monitor use of funds and grants: no data processors are involved
Data processor’s processing activities:	1. collect, store and erase data related to grant applications: no data processors are involved 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: no data processors are involved 3. collect, store and erase data related to monitor use of funds and grants: no data processors are involved
Personal data being processed:	1. collect, store and erase data related to grant applications: · if beneficiary is non-individual: name, e-mail address and CV of grantee’s contact person, CV’s of project key staff members (e.g. project manager, project coordinator, project officer, monitoring officer, accountant/ financial officer, administrative assistant), personal data available in grantee’s proof of registration, organizational statutes and annual financial reports (e.g. name and contact data to grantee’s legal representatives, etc.), personal data available in Budget Table (e.g. name, job title, proposed net/ gross salary of project staff to be involved in the project), personal data available in Partnership Statements (name and signature of partner’s signatory)· if grant is received by individual: name, mother’s maiden name, postal address, e-mail address, phone No, place and date of birth, gender, ethnicity, grade point average at the end of the former school year, number of children, monthly income, highest education 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: · if grant is received by non-individual: name and e-mail address to grantee’s contact person, name and signature of signatories · if beneficiary is individual: name, mothers maiden name, tax ID, social security No, address, ID card No, phone No, name of bank holds beneficiary’s account, name of account holder, bank account No, SWIFT code 3. collect, store and erase data related to monitor use of funds and grants: · if grant is received by non-individual: data available in quarterly and final financial reports and in their attachments (e.g. name, job title, net/ gross salary of project staff involved in the project, data available in invoices, petty cash receipts, tendering documents, rental contracts, employment contracts, timesheets and payroll of program staff members, contracts concluded with external experts and timesheets of external experts, attendant lists and minutes of conferences/meetings, travel approval forms and tickets) data available in final project reports (e.g. name of external evaluator [if he/ she is natural person], data available in “human interest stories”, letters of support or photographs related to the project, name and signature of signatory) · if beneficiary is individual: data available in beneficiary overview outcome indicators (beneficiary’s name, date of birth, postal address, phone, e-mail address, gender, grades achieved), data available in mentee’s monthly report (mentee’s name, gender, address and signature, mentor’s name and gender), data available in mentee’s timesheet (mentee’s name, gender, address and signature, mentor’s name, gender and signature), data available in tutee’s report and timesheet (tutee’s name, gender and signature, tutor’s name and gender), data available in tutor’s evaluation (tutee’s name, gender, signature and grades achieved, tutor’s name), data available in tutor’s overview (tutor’s name, tutee’s name and grades achieved), data available in tutor’s monthly report (tutee’s name, gender, date of birth, tutor’s name), data available in tutor’s timesheet (tutee’s name, grades achieved and signature, tutor’s name and signature)
Data retention period:	1. collect, store and erase data related to grant applications: five years after grant contract is fulfilled or terminated 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: five years after grant contract is fulfilled or terminated 3. collect, store and erase data related to monitor use of funds and grants: five years after grant contract is fulfilled or terminated
Source of data:	1. collect, store and erase data related to grant applications: applicant 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: · if grant is received by non-individual: grantee · if beneficiary is individual: beneficiary 3. collect, store and erase data related to monitor use of funds and grants: · if grant is received by non-individual: grantee · if beneficiary is individual: tutee, mentee, tutor, mentor
Name and address (if any) of recipient:	1. collect, store and erase data related to grant applications: · trainers · auditor (Moore Stephens Hezicomp Kft., H-1146 Budapest, 17 Hermina str 8th floor, Hungary) · donors (e.g. The VELUX Foundations [Tobaksvejen 10, 2860 Søborg, Denmark], Open Society Foundations [224 West 57th Street New York, NY 10019, United States], Swiss Agency for Development and Cooperation [Freiburgstrasse 130 3003 Bern, Switzerland])· European Commission 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: · trainers · auditor (Moore Stephens Hezicomp Kft., H-1146 Budapest, 17 Hermina str 8th floor, Hungary) · donors (e.g. The VELUX Foundations [Tobaksvejen 10, 2860 Søborg, Denmark], Open Society Foundations [224 West 57th Street New York, NY 10019, United States], Swiss Agency for Development and Cooperation [Freiburgstrasse 130 3003 Bern, Switzerland]) · European Commission 3. collect, store and erase data related to monitor use of funds and grants: · trainers · auditor (Moore Stephens Hezicomp Kft., H-1146 Budapest, 17 Hermina str 8th floor, Hungary) · donors (e.g. The VELUX Foundations [Tobaksvejen 10, 2860 Søborg, Denmark], Open Society Foundations [224 West 57th Street New York, NY 10019, United States], Swiss Agency for Development and Cooperation [Freiburgstrasse 130 3003 Bern, Switzerland]) · European Commission
Legal basis of data transfer:	1. collect, store and erase data related to grant applications: · trainers: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) · auditor: fulfil legal obligation set forth in Act on Accountancy · donors: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) · European Commission: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: relating to all transfer the legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) determines legal basis of transfer 3. collect, store and erase data related to monitor use of funds and grants: relating to all transfer the legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) determines legal basis of transfer
Data subjects:	1. collect, store and erase data related to grant applications: · if grant is received by non-individual: grantee’s contact person, project key staff member (e.g. project manager, project coordinator, project officer, monitoring officer, accountant/ financial officer, administrative assistant), grantee’s legal representative, project staff to be involved in the project, partner’s signatory · if beneficiary is individual: applicant 2. collect, store and erase data to execute, amend and terminate contract for receipt of funding: · if grant is received by non-individual: grantee’s contact person, signatories of REF and grantees· if beneficiary is individual: beneficiary 3. collect, store and erase data related to monitor use of funds and grants: · if grant is received by non-individual: project staff involved in the project, staff member, external expert, attendant of conferences/meetings, external evaluator, data subject to “human interest stories”, letters of support or photographs related to the project, signatory · if beneficiary is individual: tutee, mentee, tutor, mentor

5. Processing activities related to researches conducted by REF

Data processing activities:	1. collect, store, process and erase data to conduct research related to Roma education 2. collect, store, process and erase data to conduct research about beneficiaries of scholarships and beneficiaries of grants
Purpose of processing:	1. collect, store, process and erase data to conduct research related to Roma education: getting knowledge on education, promote REF, influence policy makers’ and wide publicity’s opinion 2. collect, store, process and erase data to conduct research about beneficiaries: understanding impacts of work of REF (where applicants work, how they live etc.), improving programmes, examine impact of benefits
Legal basis of processing:	1. collect, store, process and erase data to conduct research related to Roma education: consent of participants involved in researches 2. collect, store, process and erase data to conduct research about beneficiaries: consent of beneficiaries of scholarships and beneficiaries of grants
Legal basis of processing:	1. collect, store, process and erase data to conduct research related to Roma education: Section 6 Article (1) point a) of GDPR exclusive data related to ethnic origin, which is processed in compliance with Section 9 Article (2) point a) of GDPR 2. collect, store, process and erase data to conduct research about beneficiaries: Section 6 Article (1) point a) of GDPR exclusive data related to ethnic origin, which is processed in compliance with Section 9 Article (2) point a) of GDPR
Data processor involved in processing:	1. collect, store, process and erase data to conduct research related to Roma education: Microsoft Corporation (One Microsoft Way, Redmond, Washington 98052-6399, USA) 2. collect, store, process and erase data to conduct research about beneficiaries: no data processors are involved
Data processor’s processing activities:	1. collect, store, process and erase data to conduct research related to Roma education: store survey forms used to collect information from participants 2. collect, store, process and erase data to conduct research about beneficiaries: no processors are involved
Personal data being processed:	1. collect, store, process and erase data to conduct research related to Roma education: name, e-mail address, address, phone No, gender, ethnic origin, grade point average, information related to the receipt of any kind of financial support/scholarship for studies 2. collect, store, process and erase data to conduct research about beneficiaries: every data stored by REF related to beneficiaries of scholarships and beneficiaries of grants; see details in the following Sections “Processing activities related to provide scholarships” and “Processing activities related to provide grants”
Data retention period:	1. collect, store, process and erase data to conduct research related to Roma education: until revoke of consent, but usually at least 15 years 2. collect, store, process and erase data to conduct research about beneficiaries: until revoke of consent, but usually at least 15 years
Source of data:	1. collect, store, process and erase data to conduct research related to Roma education: participants involved in researches 2. collect, store, process and erase data to conduct research about beneficiaries: beneficiaries of scholarships and beneficiaries of grants
Name and address (if any) of recipient:	1. collect, store, process and erase data to conduct research related to Roma education: consultancies and evaluators involved in research evaluation 2. collect, store, process and erase data to conduct research about beneficiaries: consultancies and evaluators involved in research evaluation
Legal basis of data transfer:	1. collect, store, process and erase data to conduct research related to Roma education: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 2. collect, store, process and erase data to conduct research about beneficiaries: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR)
Data subjects:	1. collect, store, process and erase data to conduct research related to Roma education: participants involved in researches 2. collect, store, process and erase data to conduct research about beneficiaries: beneficiaries of scholarships and beneficiaries of grants

Processing activities related to provide scholarships

Data processing activities:	1. collect, store data to manage registered accounts 2. processing application form data 3. making interviews with applicants 4. creating shortlist of applicants 5. check university enrolment (including tuition fee certificates) 6. inform applicants about results of application process 7. collecting payment data 8. conducting online statistical research (by using online survey form available in the registered account) 9. informing former applicants about new scholarships 10. publish beneficiaries’ data on REF’S Website 11. collect, store data to manage registration in Alumni and Beneficiary Network (available in a closed Facebook group) 12. store and use data shared by participants in Alumni and Beneficiary Network
Purpose of processing:	1. collect, store data to manage registered accounts: to make application process accessible 2. processing application form data: to check, if application criteria are met, including carrying out investigation in case of doubts about the ethnicity of the applicant 3. making interviews with applicants: to evaluate applicants 4. creating shortlist of applicants: to evaluate and rank applicants 5. check university enrolment: to evaluate applicants 6. inform applicants about results of application process: to inform applicants about the result of selection Application data (as described in Pont 1 to 6) are stored, even after the beneficiaries have been chosen, for defence of legal claims of applicants or beneficiaries, who suspend their studies. 7. collecting payment data: to fulfil payment obligation set forth in grant contract 8. conducting online statistical research: to assess and analyse socio-economic status of applicants 9. informing former applicants about new scholarships: to inform former applicants of new opportunities 10. publish beneficiaries’ data on REF’S Website: to strengthen the existing transparency, increase the visibility, and promote the Roma identity of scholarship beneficiaries 11. collect, store data to manage registration in Alumni and Beneficiary Network: to make Alumni and BeneficiaryNetwork accessible for beneficiaries 12. store and use data shared by participants in Alumni and Beneficiary Network: · to develop and grow former and current beneficiaries’ network · to help building a generation of highly educated and skilful young Roma, · to ensure former and current beneficiaries to communicate each other, · to share information and ideas and to foster collaboration among network members, · to exchange information and give and receive advice on matters pertaining to former and current beneficiaries’ academic efforts and/ or professional and personal development, · to offer members information about and opportunities to initiate and /or engage in conducting surveys and studies, scientific researches, reports, policy papers, on various areas and topics relevant for their study, to provide information about life-long learning and excellence opportunities, · to provide information that facilitates beneficiaries’ access to various internships, career development and job placement, · to allow dissemination of information about meetings, events, seminaries, conferences, trainings, workshops that are of interest and relevance to the network, · to circulate Roma-related information (including reports, studies, research on the Roma, articles and news, models of good practices piloted and implemented locally, announcements of national and international initiatives and funding programs targeting Roma issues, announcements of seminars, conferences, training sessions and scholarships, internships, competitions and other opportunities for young Roma, announcements of Roma-related events such as performances, festivals, concerts, theater plays, books and movies launching, civic campaigns)
Legal basis of processing:	1. collect, store data to manage registered accounts: consent of person who creates account 2. processing application form data: consent of applicants, exclusive those data which are processed in accordance with legitimate interest pursued by REF to carry out investigation in case of doubts about ethnicity of the applicant 3. making interviews with applicants: consent of applicants 4. creating shortlist of applicants: consent of applicants 5. check university enrolment: consent of applicants 6. inform applicants about results of application process: consent of applicants The storage of data for defence of legal claim is based on REF’s legitimate interest. 7. collecting payment data: fulfil grant contract 8. conducting online statistical research: consent of beneficiaries 9. informing former applicants about new scholarships: consent of applicants and beneficiaries 10. publish beneficiaries’ data on REF’S Website: REF’s legitimate interest 11. collect, store data to manage registration in Alumni and Beneficiary Network: fulfil grant contract 12. store and use data shared by participants in Alumni and Beneficiary Network: consent of beneficiaries
Legal basis of processing:	1. collect, store data to manage registered accounts: Section 6 Article (1) point a) of GDPR 2. processing application form data: Section 6 Article (1) point a) [consent] and f) [legitimate interest of REF] of GDPR 3. making interviews with applicants: Section 6 Article (1) point a) of GDPR 4. creating shortlist of applicants: Section 6 Article (1) point a) of GDPR 5. check university enrolment: Section 6 Article (1) point a) of GDPR The storage of data for defence of legal claims is based on Section 6 Article (1) point f) of GDPR. 6. inform applicants about results of application process: Section 6 Article (1) point a) of GDPR 7. collecting payment data: Section 6 Article (1) point b) of GDPR 8. conducting online statistical research: Section 6 Article (1) point a) of GDPR, exclusive those data related to ethnic origin, which are processed in compliance with Section 9 Article (2) point a) of GDPR 9. informing former applicants about new scholarships: Section 6 Article (1) point a) of GDPR 10. publish beneficiaries’ data on REF’S Website: Section 6 Article (1) point f) of GDPR 11. collect, store data to manage registration in Alumni and Beneficiary Network: Section 6 Article (1) point b) of GDPR 12. store and use data shared by participants in Alumni and Beneficiary Network: Section 6 Article (1) point a) of GDPR
Data processor involved in processing:	1. collect, store data to manage registered accounts: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 2. processing application form data: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 3. making interviews with applicants: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 4. creating shortlist of applicants: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 5. check university enrolment: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 6. inform applicants about results of application process: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 7. collecting payment data: Intalion Kft. (H-1012 Budapest, 4 Vérmező str.) 8. conducting online statistical research: no data processor involved 9. informing former applicants about new scholarships: no data processor involved 10. publish beneficiaries’ data on REF’S Website: no data processor involved 11. collect, store data to manage registration in Alumni and Beneficiary Network: Facebook Ireland – 4 Grand Canal Square, Dublin Dublin 2 12. store and use data shared by participants in Alumni and Beneficiary Network: Facebook Ireland – 4 Grand Canal Square, Dublin Dublin 2
Data processor’s processing activities:	1. collect, store data to manage registered accounts: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System 2. processing application form data: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System 3. making interviews with applicants: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System4. creating shortlist of applicants: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System 5. check university enrolment: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System 6. inform applicants about results of application process: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System 7. collecting payment data: Intalion Kft.: accesses data when provides IT system support and maintenance services to Online Application System 8. conducting online statistical research: no data processors are involved 9. informing former applicants about new scholarships: no data processors are involved 10. publish beneficiaries’ data on REF’S Website: no data processor involved 11. collect, store data to manage registration in Alumni and Beneficiary Network: has access to registers data 12. store and use data shared by participants in Alumni and Beneficiary Network: store data disclosed by participants in the closed Facebook group
Personal data being processed:	1. collect, store data to manage registered accounts: user name, password, date of birth, gender, e-mail address, name, mother’s maiden name, image and No of passport/ID card/permanent residency card, Skype ID, Facebook user name, phone No, permanent address, mailing address 2. processing application form data: date of birth, gender, e-mail address, name, mother’s maiden name, image and No of passport/ID card/permanent residency card, Skype ID, Facebook user name, phone No, permanent address, mailing address 3. making interviews with applicants: name 4. creating shortlist of applicants: name 5. check university enrolment: name, education 6. inform applicants about results of application process: contact data 7. collecting payment data: bank account holder’s name, bank account, grant contract ID No 8. conducting online statistical research: mother tongue, spoken languages, ethnic origin, family characteristics (nuclear family, extended family, etc.), number of siblings and children, marital status, data related to composition of family income 9. informing former applicants about new scholarships: contact data 10. publish beneficiaries’ data on REF’S Website: full name of beneficiary, University name, photo and short bio 11. collect, store data to manage registration in Alumni and Beneficiary Network: beneficiaries’ name and e-mail address 12. store and use data shared by participants in Alumni and Beneficiary Network: any personal data disclosed by participants to each other
Data retention period:	1. collect, store data to manage registered accounts: until application has been finished 2. processing application form data: until beneficiaries are chosen, exclusive the data of beneficiaries, who suspend their studies, which are kept for three years, thus they may apply again 3. making interviews with applicants: until beneficiaries are chosen, exclusive the data of beneficiaries, who suspend their studies, which are kept for three years, thus they may apply again 4. creating shortlist of applicants: until beneficiaries are chosen, exclusive the data of beneficiaries, who suspend their studies, which are kept for three years, thus they may apply again 5. check university enrolment: until beneficiaries are chosen, exclusive the data of beneficiaries, who suspend their studies, which are kept for three years, thus they may apply again 6. inform applicants about results of application process: until information e-mail is sent The retention period of data stored for defence of legal claims is the limitation period specified by the Civil Code to file a complaint against REF.7. collecting payment data: one year after collection 8. conducting online statistical research: until revoke of consent, but usually at least 15 years 9. informing former applicants about new scholarships: until information e-mail is sent 10. publish beneficiaries’ data on REF’S Website: as long as the student is receiving a scholarship 11. collect, store data to manage registration in Alumni and Beneficiary Network: until member account is has been set 12. store and use data shared by participants in Alumni and Beneficiary Network: until revoke of consent
Source of data:	1. collect, store data to manage registered accounts: person who creates account 2. processing application form data: applicant 3. making interviews with applicants: applicant 4. creating shortlist of applicants: applicant 5. check university enrolment: applicant 6. inform applicants about results of application process: applicant 7. collecting payment data: beneficiary 8. conducting online statistical research: beneficiary 9. informing former applicants about new scholarships: beneficiary 10. publish beneficiaries’ data on REF’S Website: beneficiary 11. collect, store data to manage registration in Alumni and Beneficiary Network: current beneficiaries 12. store and use data shared by participants in Alumni and Beneficiary Network: former and current beneficiaries
Name and address (if any) of recipient:	1. collect, store data to manage registered accounts: colleagues working in local (branch) offices of non-EEA member REF countries have certain levels of access to online application system, which level is appropriate to their role and tasks 2. processing application form data: · colleagues working in local (branch) offices of non-EEA member REF countries have certain levels of access to online application system, which level is appropriate to their role and tasks · consultancies and evaluators involved in research evaluation 3. making interviews with applicants: · colleagues working in local (branch) offices of non-EEA member REF countries have certain levels of access to online application system, which level is appropriate to their role and tasks · consultancies and evaluators involved in research evaluation 4. creating shortlist of applicants: · colleagues working in local (branch) offices of non-EEA member REF countries have certain levels of access to online application system, which level is appropriate to their role and tasks · consultancies and evaluators involved in research evaluation 5. check university enrolment: · colleagues working in local (branch) offices of non-EEA member REF countries have certain levels of access to online application system, which level is appropriate to their role and tasks · consultancies and evaluators involved in research evaluation 6. inform applicants about results of application process: not relevant 7. collecting payment data: colleagues working in local (branch) offices of non-EEA member REF countries have certain levels of access to online application system, which level is appropriate to their role and tasks 8. conducting online statistical research: colleagues working in local (branch) offices of non-EEA member REF countries have access to survey results 9. informing former applicants about new scholarships: not relevant 10. publish beneficiaries’ data on REF’S Website: not relevant 11. collect, store data to manage registration in Alumni and Beneficiary Network: not relevant 12. store and use data shared by participants in Alumni and Beneficiary Network: not relevant
Legal basis of data transfer:	1. collect, store data to manage registered accounts: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 2. processing application form data: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) exclusive those data related to ethnic origin, which are transferred in compliance with Section 9 Article (2) point a) of GDPR 3. making interviews with applicants: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 4. creating shortlist of applicants: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 5. check university enrolment: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 6. inform applicants about results of application process: not relevant 7. collecting payment data: legitimate interest pursued by REF (Section 6 Article (1) point f) of GDPR) 8. conducting online statistical research: consent of beneficiaries [Section 6 Article (1) point a) of GDPR exclusive those data related to ethnic origin, which are transferred in compliance with Section 9 Article (2) point a) of GDPR] 9. informing former applicants about new scholarships: not relevant 10. publish beneficiaries’ data on REF’S Website: not relevant 11. collect, store data to manage registration in Alumni and Beneficiary Network: not relevant 12. store and use data shared by participants in Alumni and Beneficiary Network: not relevant
Data subjects:	1. collect, store data to manage registered accounts: person who creates account 2. processing application form data: applicant 3. making interviews with applicants: applicant 4. creating shortlist of applicants: applicant 5. check university enrolment: applicant 6. inform applicants about results of application process: applicant 7. collecting payment data: beneficiary 8. conducting online statistical research: beneficiary 9. informing former applicants about new scholarships: beneficiary 10. publish beneficiaries’ data on REF’S Website: beneficiary 11. collect, store data to manage registration in Alumni and Beneficiary Network: current beneficiary 12. store and use data shared by participants in Alumni and Beneficiary Network: former and current beneficiary

Processing activities related to use REF’s Website

Data processing activities:	management of applications for scholarships, contact form (https://www.romaeducationfund.org/contact-us/) and editing Website content
Purpose of processing:	ensure Website’s smooth operation and continuous availability
Legal basis of processing:	REF legitimate interest
Legal basis of processing:	Section 6 Article (1) point f) of GDPR
Data processor involved in processing:	No data processor is involved
Data processor’s processing activities:	No data processor is involved
Personal data being processed:	all data made available to REF by data subject when they register account on Website, apply for scholarship, contact with REF through contact form (https://www.romaeducationfund.org/contact-us/) all data that REF made publicly available on Website
Data retention period:	until manage and maintain errors that affects usage and availability of Website, registered accounts or contact form
Source of data:	data subject who registers account on Website, applies for scholarship, contacts with REF through contact form the data subject whose personal data have been publicly available by REF at REF’s Website
Name and address (if any) of recipient:	Not relevant
Legal basis of data transfer:	Not relevant
Data subjects:	data subject who registers account on Website, applies for scholarship, contacts with REF through contact form the data subject whose personal data have been publicly available by REF at REF’s Website

Cookies

REF places cookies in Website visitor’s browser to foster user experience. Cookies may at any time be deleted or denied by changing browser settings. Cookies are automatically deleted from browser after expiry date without any user intervention.

Further information about managing cookies can be found in browser’s Help file available at the following links:

If visitor deletes or denies cookies to be set, he/ she has to be aware that it may adversely affect browsing experience or may cause website features unavailability.

Cookies can be classified as “strictly necessary” if they are necessary to use the Website, “settings” if they are necessary to manage user’s website settings (e. g. chosen language, account credentials etc.), “statistical” if they are used for collecting statistical information about website visitors and “marketing” if they are used for marketing purposes.

While strictly necessary cookies can be set without website visitor’s consent, the other three categories can only be set in browsers after website visitor’s consent had been obtained.

List of the types of cookies used on the Website:

Cookie’s name	Classification	Expiry date	Functionality/ purpose of setting
_ga	statistical	It is set to expire after 2 years.	Set by Google Analytics at romaeducationfund.org to collect information about visitors. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the site analytics reports.
_gid	statistical	It expires after 24 hours of inactivity.	Set by Google Analytics at romaeducationfund.org to collect information about visitors. This cookie is used to group the visitor behaviour together for each visitor.
JSESSIONID	strictly necessary	It expires after browsing session is finished.	Set by gms.romaeducationfund.org. General purpose platform session cookie used by sites. Usually used to maintain an anonymous user session by the server.
org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE	settings	It expires after browsing session is finished.	Set by gms.romaeducationfund.org and is used to store client’s side language changes.

I.General part

1. Introduction

2. Definitions

3. Who is the data controller?

4. What are the fundamental principles to data processing?

5. Is any processor involved? If so, under what conditions?

6. What measures does REF apply to guarantee the security of the personal data processed?

7. In what cases may personal data be transferred to third parties?

8. What are the rights of the data subject and how can they be enforced?

8.1 The information of the data subject

8.2 The rectification and erasure of personal data

8.3 The right to data portability

8.4 Right to the restriction of processing

8.5 The right to object to the processing of personal data

8.6 The rights of the data subject related to automated decision-making

8.7 The right to withdraw the consent given

8.8 Other issues regarding the exercise of the data subject rights

9. What are the consequences of unlawful data processing?

II. Data processing activities carried out by the Roma Education Fund

1.Processing activities related to advocacy

2. Processing related to communication activities

3. Processing activities related to financial activities

4. Processing activities related to provide grants

5. Processing activities related to researches conducted by REF

Processing activities related to provide scholarships