DDD Southeast Europe — Dialogue for Democracy and Development
Legal

Privacy Notice

How we handle your personal data — in accordance with the EU General Data Protection Regulation (GDPR). Effective 11 May 2026. Last updated 11 May 2026.

DDD Southeast Europe respects your privacy and is committed to protecting your personal data. This Privacy Notice explains what information we collect, why we collect it, how we use it, how long we keep it, and what rights you have.

The Notice covers data collected through this website (forms, cookies, server logs), data submitted directly to the foundation by email or post, and data the foundation processes in administering membership, events, and publications.

Who is responsible for your data

The data controller for personal data processed in connection with the foundation's activity is:

DDD Southeast Europe
Registered office — Bucharest, Romania
Data protection contact: data-protection@ddd-southeast-europe.org

What data we collect

We collect personal data when you interact with the foundation's website and services, including:

  • Membership applications — name, contact details, sector, role, country, motivation statement, and source of referral.
  • Event applications — name, contact details, affiliation, accessibility needs, member status, and source of referral.
  • Contact messages — name, email, organisation, country, subject, and message body.
  • Server logs — IP address, browser type, pages requested, and timestamps, retained for security and analytics.
  • Cookies — see the Cookies Policy for the full list.

Why we collect it (lawful basis)

The foundation processes personal data on the following lawful bases under the GDPR:

  • Contract performance — administering member and event participation.
  • Legitimate interest — responding to general inquiries and operating the foundation's activities.
  • Consent — analytics cookies, marketing communications, and optional newsletter signup.
  • Legal obligation — financial and statutory record-keeping required under Romanian and EU law.

How long we keep your data

Retention periods depend on the processing activity. Rejected applications are deleted after a defined review period. Member records are retained for the duration of membership plus a defined retention period. Contact-form messages are retained while the inquiry is being handled. Financial records are retained as required by Romanian law.

Who we share data with

The foundation shares personal data only with named categories of processors and partners, under contractual confidentiality: technical processors (web host, CMS host, email-delivery service, analytics provider where consented), professional advisers (legal, accounting, audit), and regulatory authorities where required by law.

International transfers

Where data is processed outside the European Economic Area, the foundation relies on adequacy decisions or Standard Contractual Clauses approved by the European Commission. Specific transfer mechanisms are disclosed per processor.

Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (right to be forgotten), subject to legitimate exceptions
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interest
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your national data-protection authority — for the foundation's main establishment, that is ANSPDCP (Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal) in Romania.

To exercise any of these rights, write to data-protection@ddd-southeast-europe.org. We respond within one month of receipt of a clear request.

Cookies

See the Cookies Policy for detail on which cookies this website uses, what they do, how long they last, and how to manage your preferences.

Security

The foundation applies organisational and technical measures to protect personal data, including encrypted transit (TLS), access controls, employee confidentiality undertakings, and a breach- notification procedure aligned with GDPR requirements.

Children's data

The foundation's activities are directed at adults. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data, please write to data-protection@ddd-southeast-europe.org and we will delete it promptly.

Changes to this Notice

Material changes to this Privacy Notice will be communicated on this page with an updated effective date. Members will be notified by email of substantive changes to processing activity.

Contact

Questions about this Notice or about how the foundation handles your personal data can be sent to data-protection@ddd-southeast-europe.org.

Last updated: · Effective: