GDPR Policy

Effective Date: 03.02.2023
Last Updated: 20.03.2026

1. Purpose of this Policy

This GDPR Policy sets out the principles, commitments, and governance measures applied by Asociația Clusterul de Excelență în Securitate Cibernetică (CYSCOE) in relation to the processing of personal data.

This document complements the Privacy Policy and reflects CYSCOE’s commitment to lawful, fair, transparent, secure, and accountable processing of personal data, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and the applicable legal framework governing privacy and data protection.

The GDPR establishes a principles-based regime requiring organizations not only to comply, but also to be able to demonstrate compliance through appropriate governance, safeguards, documentation, and organizational accountability.

2. Scope

This Policy applies to personal data processed by CYSCOE in connection with:

  • website administration and digital communications;
  • institutional correspondence and stakeholder interaction;
  • strategic partnerships and collaboration initiatives;
  • meetings, conferences, events, workshops, calls, and training activities;
  • project implementation and ecosystem engagement;
  • operational, administrative, legal, and governance-related activities.

This Policy applies to personal data processed in electronic, written, and verbal form, where such processing falls within CYSCOE’s responsibility.

3. Identity of the Data Controller

Unless otherwise stated in a specific contractual or operational context, the data controller is:

Asociația Clusterul de Excelență în Securitate Cibernetică
Mareșal Alexandru Averescu nr. 8-10, et. 1, cam. 104, sector 1, București
Email:

Where CYSCOE determines the purposes and means of processing, it acts as a data controller. In distinct contractual relationships, CYSCOE may act in another legally defined capacity depending on the allocation of roles and responsibilities.

4. Core Data Protection Principles

CYSCOE applies the following principles to the processing of personal data:

4.1 Lawfulness, Fairness and Transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

4.2 Purpose Limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

4.3 Data Minimisation

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

4.4 Accuracy

Reasonable steps shall be taken to ensure that personal data is accurate and, where necessary, kept up to date.

4.5 Storage Limitation

Personal data shall be retained only for as long as necessary for the relevant processing purpose, unless a longer retention period is required or justified by law or legitimate compliance needs.

4.6 Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4.7 Accountability

CYSCOE recognizes that compliance must be demonstrable. Accordingly, data protection is supported not only through public notices, but also through internal governance, access control, vendor oversight, retention practices, and documented safeguards.

5. Lawful Bases for Processing

CYSCOE processes personal data only where an appropriate legal basis exists under the GDPR. Depending on the circumstances, this may include:

  • the data subject’s consent;
  • performance of a contract or steps taken prior to entering into a contract;
  • compliance with a legal obligation;
  • legitimate interests, provided such interests are not overridden by the rights and freedoms of the data subject.

Where consent is used as the legal basis, it must be freely given, specific, informed, and unambiguous, and it may be withdrawn at any time.

6. Categories of Personal Data

Depending on the relevant context, CYSCOE may process categories of personal data such as:

  • identification data;
  • contact data;
  • professional affiliation and role-related data;
  • communication and correspondence data;
  • technical and digital interaction data;
  • event or participation-related data;
  • data voluntarily provided through forms, email, meetings, or institutional interactions.

CYSCOE seeks to limit personal data processing to what is relevant and necessary for legitimate institutional and operational purposes.

7. Special Categories of Personal Data

CYSCOE does not intentionally seek to collect special categories of personal data through its website or ordinary communication channels, unless such processing is clearly necessary, lawfully justified, and supported by an appropriate legal basis under Article 9 GDPR.

Where such data is received unintentionally, CYSCOE will assess the necessity of retaining it and will handle it in accordance with the principles of minimisation, security, and lawful processing.

8. Data Subject Rights

Subject to the conditions and limitations laid down by law, data subjects may have the following rights:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object;
  • the right to withdraw consent, where consent is the legal basis;
  • the right not to be subject to a decision based solely on automated processing, including profiling, where applicable;
  • the right to lodge a complaint with a supervisory authority.

CYSCOE shall consider and respond to requests concerning these rights in accordance with applicable law and within the legally applicable timeframes.

To exercise such rights, a request may be sent to:

9. Identity Verification

Where a person submits a request relating to personal data, CYSCOE may take reasonable and proportionate steps to verify the identity of the requester before disclosing, modifying, or deleting personal data.

These verification measures are intended to protect data subjects against unauthorized disclosure, identity fraud, misuse, or unlawful access.

10. Technical and Organizational Measures

CYSCOE implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the nature, scope, context, and risks of processing.

Such measures may include:

  • controlled access to data on a role-based and need-to-know basis;
  • secure hosting and systems administration;
  • confidentiality measures for communications and records;
  • identity and access management practices;
  • monitoring, logging, and technical review;
  • secure transfer methods and encryption where appropriate;
  • procedures for secure handling, storage, and disposal of information.

These measures are intended to support the confidentiality, integrity, availability, and resilience of personal data processing operations.

11. Data Processors and Service Providers

Where CYSCOE engages third-party service providers for hosting, IT support, communications, cybersecurity, analytics, administration, legal support, or similar operational services, those providers may process personal data on behalf of CYSCOE.

In such cases, CYSCOE seeks to ensure that:

  • service providers are selected with due regard to reliability and appropriate safeguards;
  • contractual arrangements reflect applicable data protection requirements;
  • personal data is processed only to the extent necessary for the agreed service;
  • service providers are subject to confidentiality, security, and data protection obligations.

12. Disclosure to Authorities and Legal Use of Data

CYSCOE may disclose personal data where necessary:

  • to comply with applicable legal obligations;
  • to respond to lawful requests from competent public authorities;
  • to establish, exercise, or defend legal claims;
  • to prevent fraud, abuse, unauthorized access, or other conduct affecting CYSCOE’s legitimate rights or digital environment.

Such processing shall be carried out only where a lawful basis exists and where the disclosure is necessary and proportionate.

13. International Transfers

Where personal data is transferred outside the European Economic Area, CYSCOE will ensure that the transfer is subject to an appropriate safeguard recognized under EU data protection law, such as:

  • an adequacy decision;
  • Standard Contractual Clauses;
  • or another lawful transfer mechanism.

CYSCOE seeks to ensure that international transfers are assessed with due regard to legal, technical, and operational risk.

14. Data Retention and Review

Personal data shall be retained only for as long as necessary for the purpose for which it was collected, taking into account:

  • the nature and duration of the relevant relationship or interaction;
  • legal, regulatory, tax, audit, and evidentiary obligations;
  • security, fraud-prevention, and continuity requirements;
  • the need to establish, exercise, or defend legal rights;
  • whether the information remains accurate, relevant, and necessary.

Where data is no longer required, it shall be deleted, anonymized, archived, or otherwise securely handled in accordance with applicable retention practices.

15. Children’s Data

CYSCOE does not intentionally target children through its website and does not knowingly collect personal data relating to minors unless there is an appropriate legal basis and a legitimate operational reason for doing so.

Where CYSCOE becomes aware that personal data relating to a minor has been processed without an appropriate legal basis, it will take reasonable steps to assess and address the situation in accordance with applicable law.

16. Governance, Review, and Continuous Compliance

CYSCOE recognizes that data protection compliance is an ongoing governance responsibility rather than a one-time formal exercise.

Accordingly, this Policy may be reviewed and updated periodically to reflect:

  • changes in law or regulatory interpretation;
  • operational or technological developments;
  • changes in service providers or digital infrastructure;
  • changes in the nature, scale, or risk profile of personal data processing.

17. Data Protection Officer

At present, CYSCOE does not designate a permanent Data Protection Officer.

If the scale, nature, or legal context of processing changes in a way that may trigger such an obligation under applicable law, CYSCOE may reassess this position and take appropriate measures.

18. Complaints and Supervisory Authority

If you believe that your personal data has been processed in breach of applicable law, you may contact CYSCOE so that the matter can be reviewed internally.

You also have the right to lodge a complaint with the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, cod poștal 010336, București, România
Email:
Website: www.dataprotection.ro

19. Contact

For questions relating to this GDPR Policy or to the processing of personal data by CYSCOE, please contact:

Asociația Clusterul de Excelență în Securitate Cibernetică
Mareșal Alexandru Averescu nr. 8-10, et. 1, cam. 104, sector 1, București
Email:

Other articles

Join CYRESRANGE Community

📢 #CYRESRANGE officially launches its #cybersecurity news and insights hub! To stay informed, you are welcome to join the community here 👉 WhatsApp Community 🔎

Read more "
February 9, 2026

CYRESRANGE @ ECYBRIDGE 2025 – Constanța

📍CYRESRANGE @ ECYBRIDGE 2025 – ConstanțaÎn perioada 9–11 decembrie, proiectul european CYRESRANGE a fost prezentat în cadrul conferinței ECYBRIDGE – “Anchoring Cyber Resilience: Cybersecurity Strategies

Read more "
December 15, 2025