ENSWaP is a network of parents who take interest in Steiner / Waldorf education. ENSWaP disseminates information and organizes events for its members, for other parents in Europe who are interested in Steiner / Waldorf education and for anyone interested in its activities.
During the course of these activities, ENSWaP gains access to personal information that it processes. This document describes
- how ENSWaP gains such data;
- how ENSWaP functions as a data controller;
- the different kinds of data ENSWaP processes;
- how long data is handled and what happens to data no longer needed;
- what happens to this data during and after procession;
- the rights of data subjects related to their data.
This document was prepared to fulfill the data protection requirements set up by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR). Terms used in this policy have the same meaning that are used in the GDPR. A link to the GDPR is provided at the end of this policy.
How does ENSWaP collect data?
ENSWaP collects data that is generated or submitted when you visit our homepage, when you subscribe or read our newsletter and when you sign up and participate on one of our events. Some of the data we receive is generated automatically by our servers and some are created as responses when you click on links on our webpage (e.g. cookies), download pages or documents. But most data ENSWaP receives is data submitted on the decision of the data subject (e.g. using on-line or paper based forms). We may also receive data from banks or authorities (for example when you execute payment for one of our events or if you apply for a Schengen Visa to visit one of our events in the Schengen Area).
Who is the data controller?
ENSWaP is not a legal entity, nor any kind of civil society. It does not have a permanent board or committee responsible for managing its activities. ENSWaP is a loose federation of like-minded parents who take interest in Steiner / Waldorf education. We do not have employees or permanent staff. We have volunteers who keep our newsletter service running or who organize events. These people are the data controllers. We all work independently. However, we have a similar sense of responsibility and we all agree that anything organized or sent under the framework of ENSWaP is made according to these privacy guidelines. The names and the contact info of these data controllers (the organizers) are made available on our website.
The data controllers for different areas do not share data with other areas (for example if you sign up for an event, your data will not be submitted to those dealing with the newsletters and won’t be forwarded to organizers of other events). This also means that you have to sign up for events and newsletters separately.
ENSWaP does not have a single permanent data protection officer. We have separate data protection officers for the newsletter and for the events. Their contact information is made available on our website.
What forms of data ENSWaP processes? (Data Map)
ENSWaP processes the following data:
E-mail addresses for newsletters:
Data when you sign up for our newsletter, you enter an e-mail address that we will use to deliver our newsletter.
Basis: We store this information as long as you wish to receive our regular newsletters. This e-mail address is collected with your permission.
Duration: You may unsubscribe at any time, at which point we will discard your e-mail address. We are not able to provide you this service if you do not provide an e-mail address.
Sharing: No. This e-mail address will only be used to send you our newsletter and will only be used by our volunteers who send out the newsletters.
Data for our events:
Data: when you sign up for one of our events, you will have to provide your name (mandatory), your country of origin (mandatory), contact information (mandatory, e-mail, phone and postal address), the name of the institution you work for (optional), dietary preferences (optional), lodging preferences (optional), participation on special separate events (optional; e.g. city tours, gala dinners), payment information (mandatory if the event has a participation fee).
Basis: Data is collected partly to fulfill regulatory requirements and some is given voluntarily. You have to provide mandatory information if you wish to participate and you may provide optional information that enables us to make your stay at our event more memorable.
Duration: Data you have submitted is kept for 3 months following the end of the event. However, if anything uncommon happens during the event that requires the intervention of authorities or medical assistance, the data is retained for the duration required by law. Payment information is retained as required by law on the prevention of fraud and money laundering. Payment is usually made to an association located in the country where our event is being held. In this case the laws of that country is applicable for payments. If payment is made to institutions in another country, the law of that country applies.
Sharing: Data submitted may be shared with authorities on request. Also, if you submitted dietary or lodging preferences or special events, this data may be shared with caterers, lodging or other service providers.
Data collected at our events:
Data: lists of participation, photos taken at the event
Basis: A list of participants is needed to fulfill legal requirements. Photos are normally taken during events, however, you may ask to be excluded from photos if you wish. You may not oppose to be photographed on public events. Also, in certain cases (e.g. if the event was realized using EU funds) photos may be required to document the event.
Duration: We normally keep lists of participation for 3 months. We keep photos for 5 years. However, if the event was organized using public funds (e.g. state, EU), such information is retained for the duration required by law.
Sharing: The list of participants may be shared with authorities. Also, if the event was funded using public funds (e.g. state, EU), controllers may request access to this information.
Cookies on our websites and tracking information for our newsletters:
Data: We collect data to enhance the quality of our website and our newsletters as well as to guarantee that the content is provided and presented correctly. This information shows us which pages you visit on our site, how much time you spend on a page, which page you visit from that page.
Basis: The consent of the data subject. You give your consent when you visit our homepage or subscribe to our newsletter. You may set your cookie settings in your browser and disallow the functioning of certain cookies. However, please bear in mind that in this case certain functions on out webpage may not function properly.
Duration: Cookies are stored on your computer. You may delete them in the settings of the browser. Information we gain from you reading our newsletter is deleted after 1 year.
Sharing: We do not share this information with others. We only use it to refine our own procedures.
What happens to data once it is deleted?
Deleting data means that it is no longer stored and may not be accessed. However, before deletion we derive statistical data that may help our future work, but it may no longer be connected to you.
Does ENSWaP handle sensitive data?
Yes. If you enter it voluntarily, we handle information you give to us regarding your dietary preferences. This data may be used to come up with conclusions on your health or on your religious belief.
Entering such information is never obligatory and you may participate in our events without giving us this information.
Does ENSWaP use profiling or does it use data for commercial purposes?
No. We do not use profiling and we do not use data for commercial purposes. We do not sell data and we do not give it to third parties for commercial purposes.
Does ENSWaP transfer data outside the EU?
We use cloud services (for example Google, GitHub and MailChimp) whose servers are located in EU and the United States of America. If a certain event is organized outside the EU, data will be transferred to the local organizers. However, as ENSWaP is a European network, our activity does not extend to other continents.
What happens in case of an incident?
In case of an incident (data breach) we will notify you as quickly as possible about the fact and offer you advice on how you can protect your data (e.g. to change your password immediately).
What are the rights of the data subject?
Rights of the data subject are contained in articles 15-20 of the GDPR. The GDPR is available here.
This article only enters into force if the United Kingdom leaves the EU without an international agreement between the EU and the United Kingdom that specifically regulates the rules on data protection and the minimum requirements on data transfer from the EU to United Kingdom (hereinafter: no-deal Brexit).
In case of a no-deal Brexit the United Kingdom will be treated as a non-EU third country regarding data protection and the transfer of data as long as the European Commission does not adopt an adequacy decision according to Article 45. of the GDPR.
If you sign up to any of the ENSWaP events organized in the United Kingdom or by volunteers located in the United Kingdom, your data will be transfered outside of the EU. You will be specifically reminded to this fact when you sign up. You cannot participate on the event in case you do not accept this data transfer.
ENSWaP has a webpage and usually sends out newsletters in the English language and ENSWaP may ask native English speaker volunteers to proof-read the content of our webpage, our newsletters or the invitation to our events. During this process ENSWaP may send the contact information of the writer of the article to the volunteer proof-reading the text. This means that this contact data will be sent outside the EU. By submitting a document to be sent out in a newsletter or to be published on out website you accept this data transfer.