Privacy Notice on the Processing and Protection of Personal Data
— Participation in events organised or co-organised by NCC-RO, in physical, online or hybrid format, including photo and audio-video recordings —
Essential information
What data we collect: first name and surname, the organisation/institution you belong to and your e-mail address (necessary for registering and managing your participation); photographs, audio recordings and video recordings made during the event, whether it takes place in physical, online or hybrid format (including via platforms such as Zoom, Microsoft Teams, Google Meet or equivalents); the name and/or image you display in the online platform interface (avatar, username, video background image); verbal and written contributions (questions, comments, chat messages) made during the event.
Categories of data subjects: participants in events organised or co-organised by NCC-RO, including speakers, moderators and guests.
Why: to manage administrative registrations, communicate logistical information, issue attendance lists, document the conduct of the event through photographs and audio-video recordings, transmit the event materials (recordings, presentations, photographs) to participants after the event has ended, promote the activity of the NCC-RO community, and fulfil the reporting obligations associated with projects financed from European funds.
Legal basis: the processing is carried out on the basis of Art. 6(1)(e) GDPR — the performance of a task carried out in the public interest, in accordance with the mandate of NCC-RO established by Regulation (EU) 2021/887. The public interest covers both the administrative management of participation (registration, attendance lists, logistical communication) and the documentation of events through photographs and audio-video recordings, the transmission of materials to participants, and the promotion of the activity of the NCC-RO community.
How long we keep the data: administrative registration data is kept for the duration of the project under which the event takes place and for 5 years after the date of the final payment made by the funder, in accordance with the archiving obligations laid down in Art. 82 of Regulation (EU) 2021/1060. Photo, audio and video materials are kept for the duration of the project and thereafter for up to 5 years after its completion, as supporting documentation of the activity; for materials published on the official NCC-RO channels, the period extends for as long as is necessary to fulfil the purposes for which they were made. Upon expiry of the period, the data is deleted or anonymised, except where a specific legal obligation requires it to be kept for a longer period.
To whom we transmit the data: the NCC-RO team, the main organisers of the event (where NCC-RO participates as a co-organiser), participants in the event (where recordings and event materials are transmitted after the event, for documentation and professional consultation purposes), the general public (for the excerpts and materials published on the official NCC-RO channels) and, upon request, the ECCC or other authorities with powers to audit and control European funds, exclusively for audit-trail purposes.
Your rights: you may at any time request access to, rectification, erasure or restriction of the processing of your data, as well as the right to object (Art. 21 GDPR) to the processing of your image or voice in the materials produced. Where the right to object is exercised, NCC-RO will take reasonable measures to anonymise or remove the data subject from the published materials, in so far as this is technically possible. For any request, contact NCC-RO at ncc-ro@ncc.gov.ro or the ADR DPO at dpo@adr.gov.ro.
Data controller
The Authority for the Digitalisation of Romania (ADR) is responsible for the processing of your personal data.
The National Cybersecurity Coordination Centre — NCC-RO, an organisational structure within ADR, coordinates national initiatives and projects in the field of cybersecurity and organises or co-organises events in this field, in physical, online or hybrid format. The activities of collecting, audio-video recording and managing participants’ data are carried out by NCC-RO, while the legal responsibility for the processing of the data lies with ADR.
ADR/NCC-RO contact details:
B-dul Libertății no. 14, Sector 5, Bucharest, postal code 050706
Website: https://ncc.gov.ro
E-mail: ncc-ro@ncc.gov.ro
Data Protection Officer (DPO)
You may contact the Data Protection Officer within ADR at: dpo@adr.gov.ro.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by reference to specific elements such as image, voice or other physical or behavioural characteristics.
How does NCC-RO process personal data?
NCC-RO processes personal data in accordance with the principles and provisions of Regulation (EU) 2016/679. These provisions require that personal data be:
processed lawfully, fairly and transparently;
collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary (storage limitation);
processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss or damage (integrity and confidentiality).
1. Purpose of the processing and legal basis
The data is processed for the purpose of organising and conducting events (conferences, seminars, workshops, working sessions, networking events, webinars and online sessions) organised or co-organised by NCC-RO, in physical, online or hybrid format, within projects financed from non-reimbursable European funds, including the Digital Europe Programme and Horizon Europe.
1.1. Purposes regarding administrative registration data
registering and confirming participation in the event;
communicating logistical information (event details, changes, materials);
drawing up attendance lists and supporting documentation for reporting to funders;
transmitting the list of participants to the main co-organiser of the event, where NCC-RO participates as a co-organiser;
providing the data to the ECCC or other authorities with audit and control powers, exclusively for audit-trail purposes.
1.2. Purposes regarding photo, audio and video materials
documenting the conduct of the event through photographs and audio-video recordings, both for physical events and through the full recording of online sessions such as Zoom, Microsoft Teams, Google Meet or equivalents;
transmitting the recordings and event materials to participants, after the event has ended, for professional consultation and use (including to participants who were unable to attend live);
publishing excerpts or documentation materials on the official NCC-RO channels (website, social media accounts, activity reports, presentations to funders), to promote the activity of the NCC-RO community and the objectives of the financed projects;
using the materials as supporting documentation in the audit trail of projects financed from European funds.
1.3. Legal basis
The legal basis for the entire processing is Art. 6(1)(e) of Regulation (EU) 2016/679 (GDPR) — processing is necessary for the performance of a task carried out in the public interest, in accordance with Articles 7, 8 and 13 of Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021, which sets out the tasks of the national coordination centres in the field of cybersecurity. The audio-video and photo documentation and the retention of event recordings are integral components of this mandate — necessary for reporting to funders (the audit trail), for disseminating knowledge within the cybersecurity community, and for the transparency of the activity of a public authority.
The data subject may at any time exercise the right to object provided for in Art. 21 GDPR, in accordance with section 6 of this notice.
2. Categories of data processed
In the course of the registration and participation process, NCC-RO processes the following categories of personal data:
2.1. Administrative registration data
First name and surname — identification of the participant;
Organisation/institution of origin — necessary for documenting the representativeness of the event and for reporting to funders;
E-mail address — communicating logistical information, confirming registration and transmitting event materials.
2.2. Data generated during the event
Photographs taken during the physical event, or screenshots and photographs from online events;
Audio and video recordings of the event, in full or in part, in physical, online or hybrid format;
Information displayed in the online platform interface (username, avatar, video background image) — where the participant has the camera active or interacts in the chat;
The content of verbal or written contributions (questions, comments, chat messages, presentations) made by participants during the event.
NCC-RO does not collect sensitive data (health data, political opinions, biometric data processed for the purpose of unique identification, etc.) in the course of event registration or through the audio-video recordings made.
3. Recipients and transmission of data
Access to participants’ data is limited to the following categories of recipients:
authorised NCC-RO staff involved in organising the event, in accordance with the need-to-know principle;
the main co-organiser of the event, where NCC-RO participates as a co-organiser — the list of participants and, where applicable, the event recordings are transmitted to the co-organiser exclusively for the purpose of centralising the event documentation;
the other participants in the event — for the audio-video materials and photographs transmitted after the event for documentation and professional consultation purposes (full recordings or excerpts, presentations, event materials); transmission is carried out via a secure download link, e-mail or sharing platform with controlled access;
the general public — for the excerpts or materials published on the official NCC-RO channels (website, social media accounts, public reports);
the ECCC (European Cybersecurity Competence Centre), upon its express request, exclusively for the audit-trail purposes relating to projects financed from European funds;
public authorities or institutions of the European Union with audit, control or investigation powers (e.g. the European Court of Auditors, OLAF, EPPO), within the limits provided for by law.
The data is processed, in principle, within the European Economic Area. Where online platforms are used (Zoom, Microsoft Teams, Google Meet, Webex or equivalents), transfers outside the EEA may take place, which are covered by the standard contractual clauses adopted by the European Commission and by the additional measures applied by the respective providers.
4. Storage period
4.1. Administrative registration data
for the duration of the event and of the project under which it is organised;
5 years after the date of the final payment made by the funder, in accordance with the archiving obligations specific to projects financed from non-reimbursable European funds (Regulation (EU) 2021/1060 on the structural funds and other applicable regulations);
in the case of specific legal obligations (investigations, judicial requests), the storage period may be extended strictly for the fulfilment of those obligations.
4.2. Photo, audio and video materials
for the duration of the project under which the event takes place, as supporting documentation of the activity;
5 years after the completion of the project, where the materials form part of the audit trail relating to projects financed from European funds;
for materials published on the official NCC-RO channels: until the material is no longer necessary for the purposes for which it was made, or until a well-founded objection request is upheld;
recordings transmitted to participants after the event remain available to them via the sharing link; deletion from the NCC-RO servers is carried out in accordance with internal retention and archiving policies.
After the expiry of the above-mentioned periods, the data will be deleted or anonymised in accordance with the internal procedures of ADR and with the National Archives Law no. 16/1996.
5. Security measures
Participants’ data is stored on secure ADR/NCC-RO servers, with appropriate technical and organisational measures to prevent unauthorised access, loss or alteration of the data. Photo, audio and video materials are kept in storage areas with restricted access, and transmission to participants is carried out via secure links or sharing platforms with controlled access (password, link expiry, restriction to the list of participants). Access to the materials is restricted exclusively to authorised staff involved in organising the event. Transmission logs are kept to document compliance with the GDPR requirements.
6. Rights of the data subject
In accordance with Regulation (EU) 2016/679 (GDPR), you have the following rights:
The right to be informed — through this privacy notice;
The right of access to the data processed (Art. 15 GDPR);
The right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
The right to erasure of data in certain circumstances — the right to be forgotten (Art. 17 GDPR);
The right to restriction of processing (Art. 18 GDPR);
The right to data portability (Art. 20 GDPR);
The right to object (Art. 21 GDPR) — you may object to the processing of your image, voice or recordings in which you appear, both during the event (by notifying the organising team or, for online events, by deactivating the camera and microphone) and afterwards, by written request to NCC-RO or the DPO. NCC-RO will assess the request on the basis of a balancing test between the public interest pursued and the specific situation of the data subject, and where the objection is well-founded it will anonymise or remove the person from the published materials, in so far as this is technically possible;
The right not to be subject to a decision based solely on automated processing (Art. 22 GDPR);
The right to lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP).
ANSPDCP contact details:
B-dul General Gheorghe Magheru no. 28-30, Sector 1, Bucharest, postal code 010336
Telephone: +40.318.059.211
E-mail: anspdcp@dataprotection.ro
Website: www.dataprotection.ro
7. How to exercise your rights
Data subjects may exercise their rights by sending a written request to the contact addresses of the controller. Requests are resolved within a maximum of 30 days of receipt. In justified situations related to the complexity of the request, the deadline may be extended by no more than two months, with prior notification of the applicant.
For requests concerning the right to object to the use of photographs and audio-video recordings, NCC-RO will assess the merits of the request and, if upheld, will withdraw the material from active circulation as soon as possible (removal from the website, social media or the participant-facing sharing platforms), with the archiving of the material in the project audit trail being carried out with appropriate anonymisation measures, where technically possible.
Contact for exercising rights:
NCC-RO e-mail: ncc-ro@ncc.gov.ro
ADR DPO: dpo@adr.gov.ro
Address: B-dul Libertății no. 14, Sector 5, Bucharest
8. Specific aspects of online events and recordings distributed to participants
For events held in online format (webinars, working sessions on video platforms, hybrid conferences) and for events recorded with a view to subsequently transmitting the materials to participants, the following specific rules apply:
8.1. Announcing the recording
The start of the session recording is announced verbally by the moderator and/or through a message visibly displayed in the platform, before it begins. Many video platforms (Zoom, Microsoft Teams, etc.) automatically display an active-recording indicator on the screen of all participants.
8.2. Exercising the right to object during online events
Participants who do not wish to appear in the recording may exercise the right to object by:
deactivating the video camera and/or microphone for the duration of the session;
using a neutral name or a pseudonym in the platform interface;
asking questions exclusively through the platform’s written chat, without audio-video participation;
subsequently requesting exclusion from the recording by contacting the NCC-RO addresses indicated.
NCC-RO recommends using these options, given that the documentation of events is part of the institution’s public-interest mandate and that the complete avoidance of capturing participants’ images is not always possible for operational reasons.
8.3. Distribution of materials to participants
After the event has ended, the recordings and associated materials (presentations, photographs, agendas, supporting materials) may be transmitted to participants via a secure download link, e-mail or sharing platform with controlled access.
8.4. Publication on the official NCC-RO channels
The publication of event excerpts on the NCC-RO website, social media accounts or in activity reports is carried out on the basis of the public interest of the institution’s activity. Identifiable persons appearing in the material may exercise the right to object at any time by written request to the NCC-RO contact addresses; where the request is upheld, the persons are anonymised (blurring of the image, cropping of the relevant frames, removal of identifiable audio segments) or the material in question is withdrawn.
9. References and applicable legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR);
Regulation (EU) 2021/887 — establishing the ECCC and the network of national coordination centres;
Law no. 190/2018 on measures implementing the GDPR in Romania;
Regulation (EU) 2021/1060 on the structural and cohesion funds;
National Archives Law no. 16/1996;
ANSPDCP guidelines on data protection in public-interest activities.