General Privacy Policy for EUROPEAN YOUTH CARD ASSOCIATION EURO<26

Introduction

  1. This is the General Privacy Policy of the European Youth Card Association Euro<26, with the mailing address Centre Dansaert, 7/11 Rue d’Alost, 1000 Brussels, Belgium and with registered seat at Amsterdam, Netherlands, Dutch Chamber of Commerce file no. 34142416. Our contact details are the following: telephone +32 288 06 843 and email mail@eyca.org (hereinafter as “EYCA”, “we”, “us”, “our”).
  2. We are the umbrella organisation for the development and promotion of the European Youth Card, endorsed by the Council of Europe and supported by the European Commission.
  3. This General Privacy Policy is elaborated in respect with changes in area of personal data protection in EU countries brought by Regulation No. 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter as “GDPR”.
  4. In this General Privacy Policy will be used legal terms as defined in GDPR; mainly will be used following terms:
    1. personal data - means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
    2. processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    3. controller - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g. EYCA);
    4. processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
    5. consent - any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
    6. data subject – natural person whom personal data are processed (app user, cardholder…).
  5. Data processing shall be in compliance with GDPR, this General Privacy Policy as well as other disclaimers published at EYCA webpage or apps.

I. Why we process personal data?

  1. EYCA as a controller processes personal data of young people buying the European Youth Card via the KIOSK (at EYCA webpage) or using any of EYCA’s apps that shows nearby discounts to their users.
  2. EYCA do not process personal data of cardholder if the European Youth Card was issued by an EYCA Member Organisation (usually organisation issuing European Youth Card in European countries). In that case EYCA provides only the European Youth Card logo (as license) and archives only the card number, the date of issue of the card and its expiration date. Personal data collected and written on the card are obtained and processed by the EYCA Member.
  3. In respect with above stated, we collect personal data due to following operations of EYCA:
    • Providing European Youth Card via KIOSK (at EYCA’s webpage)
    • Providing the European Youth Card for participants in the European Voluntary Service and Erasmus+ volunteering activities
    • Providing app for Erasmus+ Volunteers
    • Providing app for European Youth Card users
    • Sending promotional emails if you so consented

II. What kind of your personal data we collect?

  1. We collect personal data filled in the online registration forms on our webpage or in our apps.
  2. Data we collect varies according to the registration form you fill in, but usually we collect your full name, date of birth, email address, delivery address. In apps we collect your location if you choose to provide it to us via the settings in your telephone. In KIOSK we additionally collect your telephone number and billing information (e.g. PayPal account).
  3. We do not collect special categories of personal data (e.g. health data, ethnic, religious data, political and so on).

III. Legal basis and purpose of data processing

  1. We process your personal data exclusively based on your consent to your personal data processing.
  2. Purpose of data processing is strictly fixed to the extent of your consent.
  3. If you buy the European Youth Card, we use your data for card issuing, delivery of card and payment for services if required.
  4. If you wish to use our apps, we will use your personal data to verify you are a European Youth Cardholder, to create your account and manage it, as well as to improve our services. We may also collect additional information about data usage, your device or other technical measures.
  5. Your consent is necessary for using our services (European Youth Card, apps), therefore it is a contractual requirement.
  6. We do not process your personal data for promotional activities (e.g. sending promotional emails) unless you provide us with your consent for that purpose.

IV. Retention of personal data

  1. We store your data for determined purposes only and for a determined period of time. That is the time during which you are a user of our services.
  2. If you buy a European Youth Card, we store your data from the moment you provide them to us until the expiration date of your card.
  3. If you use our apps, we store your data only during the time you are using our apps, i.e. until the moment you cancel your account.
  4. After you terminate using our services, we will use your personal data only for compatible purposes that are statistical and archival purposes.

V. Security of your data and data transfer

  1. We store your data only on our secured servers located in Netherlands.
  2. Safety of your data is very important to us. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
  3. We do not transfer your data outside the EU.

VI. Who else process your personal data

  1. We share your personal data with our partners that process your personal data on our behalf. These partners are companies fabricating and issuing European Youth Cards, companies providing delivery services, companies providing legal services, companies providing IT services, our Data Protection Officer.
  2. They are obliged to us by strict processing agreements and rules they have to follow.
  3. Beside that we provide your personal data to other entities if we are required to do (e.g. to state or European authority, police, courts…).

VII. Rights of individuals

  1. You are fully entitled to manage your personal data processing as well as participate in the process. For that GDPR grants you certain rights as specified below that you can exercise.
  2. In connection with exercising your rights you can contact us or our Data Protection Officer who handles your requests.
  3. If you wish to contact us directly, you can do it by email to mail@eyca.org, by telephone +32 288 06 843, correspondence address European Youth Card Association Euro<26, Centre Dansaert, 7/11 Rue d’Alost, 1000 Brussels, Belgium.
  4. Contact to our Data Protection Officer: Steiner & Associates, s.r.o., which is a law firm based in Slovakia, that has sufficient level of expertise and professional qualities in data protection area; mailing address Moyzesova 46, 040 01 Košice, Slovakia, email office@steinerassoc.eu. Our Data Protection Officer will manage your request and will give you additional information about how it will be handled.

If you exercise you right, we will contact you as soon as possible to confirm the acceptance of your request, and you will get answer from us within one month following your request at the latest.

We are obliged to secure your identity, therefore we may ask you to provide additional proof of your identity for the purpose of handling your request.

Please acknowledge that you can choose the form in which you would like to communicate with us. If you do not choose such a form, we will communicate with you in the form that you used for your request.

Your rights

  1. Right to access to your data

    You have right to know if we process your personal data, and if we do, you are entitled to obtain a copy of summary of your data processed. This copy would contain information about data processing, e.g. purposes of data processing, categories of your personal data, recipients of your personal data, data storage and so on.

  2. Right to rectification

    We shall process only your accurate personal data. If there are changes to your personal data or any kind of mistakes in processed personal data, we urge you to contact us and we will correct your data.

  3. Right to erasure

    You have the right to request erasure of your personal data, if there is fulfilled at least one condition stated in Art 17 of GDPR. For example, you can exercise your right to erasure if your personal data are no longer necessary to process for original purpose, you withdrawn your consent with data processing, your data have been unlawfully processed and so on.

    However, we will not erase your personal data if their further processing is necessary to submit a legal requirement from state or EU law, their processing is needed for establishment, exercise or defense of legal claims or we process your data only for statistic and archiving purpose.

  4. Right to restriction of processing

    You can request from us restriction of your personal data processing if there is fulfilled any condition stated in Art 18 of GDPR. For example, you can apply your right to restriction of processing in case you already contested to the accuracy of your data, processing of your data is unlawful, but you do not wish to erase data – only restrict their processing, we do not need your personal data for original purpose but for establishment, exercise of defense of legal claims of you already exercised right to object personal data processing.

    If you exercise the right to restriction of processing, data processing will cease and further processing of your data is possible only by your exclusive consent, or for establishment, exercise or defense of legal claims or for protection of another individual’s rights.

  5. Right to data portability

    You have right to obtain your personal data we process in a structured, commonly used and machine-readable format (e.g. xml format) and you can transmit these data to another controller. If it is technically possible and you require it, we will transmit your personal data to another controller directly.

  6. Right to object and automated decision making

    This right is fixed with data processing based on legitimate interests of controller or on task carried out in the public interest. We do not process your personal data on these grounds, but on your consent. Therefore this right would not apply in our case.

    We do not make decision based solely on automated processing including profiling, which produces legal effects to you.

  7. Right to withdraw your consent

    If you gave us consent to your personal data processing, you have the right to withdraw it any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

  8. Right to lodge a complaint to supervisory authority

    If you are not satisfied with the result of your request solution or you have concerns regarding the lawfulness of your personal data processing, you can lodge a complaint to our supervisory authority that is the Dutch Data Protection Authority (https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us)

Brussels, May 21st 2018.