Privacy Policy

Last updated: 01/06/2026

Disclaimer
Who is responsible for processing your personal data (data controller)?
For which purpose do we process your data?
Which personal data are processed?
Who has access to your personal data, and to whom is it disclosed?
How long do we keep your personal data?
How do we protect and safeguard your personal data?
What are your rights concerning your personal data, and how can you exercise them?
Contact Information
On which legal basis are we processing your personal data?
How are we processing your personal data?
How do you process personal data regarding minors?
Changes to the Policy
Cookies
Glossary

Disclaimer

Erasmus Student Network (ESN) is an independent, non-partisan, non-political, and non-profit international association which operates under Belgian law. ESN is supported as a Civil Society stakeholder by both the Council of Europe, through the European Youth Foundation, and the European Union, through the Civil Society Cooperation Grant, co-funded by the European Union. Disclaimer for the Co-funding of the European Union: Views and opinions expressed are, however, those of the author(s) only and do not necessarily reflect those of the European Union or the European Education and Culture Executive Agency (EACEA). Neither the European Union nor EACEA can be held responsible for them.

Dear Data Subject, GDPR provides for the protection of individuals concerning the processing of Personal Data as a fundamental right. As ESN, we are committed to safeguarding the privacy of our website visitors; in this policy, we explain how we will treat your personal information.

Pursuant to Article 13 of the GDPR, therefore, we will process your Personal Data according to the present Privacy Policy, which describes how such data is collected, stored, used, communicated and managed by ESN and the related Services.

By using our website and agreeing to this policy, you consent to our use of cookies in accordance with the terms of this policy. Please notify us without delay should you notice any instances in which any violation of the present Privacy Policy occurs.

1. Who is responsible for processing your personal data (data controller)?

The Data Controller is:

Erasmus Student Network

Rue Joseph II / Jozef II-straat 120

1000 Brussels, Belgium

The person designated as being in charge of the processing operation is the Web Project Administrator of the International Board.

The contact email address is: data-privacy@esn.org.

2. For which purpose do we process your data?

The processing of users’ Personal Data has its legal basis in their consent and is carried out for the following purposes:

Administer our website and business;
Personalise our website for you;
Enable the use of the services available on our website for you;
Send you email notifications that you have specifically requested;
Provide third parties with statistical information about our users (such third parties will not be able to identify any individual user from that information);
Provide third parties with personal data needed to comply with the purpose of this website; this will be done only under prior and explicit approval by the user;
Organise events according to the aims and objectives of our Association, in which you can participate;
Deal with enquiries and complaints made by or about you relating to our website;
Verify compliance with the terms and conditions governing the use of our website;
Keep our website secure and prevent fraud; and
Send service-related notifications that may be of importance to continue using the Services, and safety/security notifications related to the participation in programmes featured in our Service.

3. Which personal data are processed?

We may collect, store and use the following kinds of personal information, collected directly from the Data Subject:

information that you provide when registering with our website;
information about your computer and about your visits to and use of the website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths);
information that you provide when completing your profile on our website (including but not limited to your full name, email, username, profile picture, gender, date of birth, nationality, home residence, full address, educational details and other information set in your profile fields);
information that you provide for the purpose of subscribing to our email notifications and/or newsletters (including your name and email address);
information that you provide when using the services on our website or that is generated in the course of the use of those services (including the timing, frequency and pattern of service use);
information contained in or relating to any communication that you send to us or send through our website (including the communication content and metadata associated with the communication); and
any other personal information that you choose to send to us.

If the Personal Data communicated to us does not belong to the same natural person who communicates it, the latter will be required to explicitly confirm that they have obtained the relevant consent from the Data Subject. In such cases, with the vision of this Privacy Policy and with the above-mentioned confirmation, you also undertake to hold us harmless in case of false or misleading statements, in particular in case you have not actually obtained the consent to the processing from the relevant Data Subjects.

The voluntary sending, on your part, of e-mails to our e-mail addresses does not require further information or requests for consent.

On the contrary, specific summary information will be reported or displayed if needed in the pages of the site prepared for particular services on request (form). You must therefore explicitly consent to the use of the data reported in these forms to send any request.

4. Who has access to your personal data, and to whom is it disclosed?

Access to your personal data is provided to ESN members responsible for carrying out this processing operation and to any authorised staff according to the “need to know” principle. Such staff abide by confidentiality obligations.

The following people may also have access to your personal data:

Authorised staff and members of the Erasmus Student Network, such as:
- ESN Headquarters, acting as processor;
- National Boards of ESN Members, acting as joint controllers;
- Local Boards and Volunteers of ESN Members, acting as joint controllers.

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy. If and when we transfer Personal Data to affiliated entities or to other third parties across borders and from your country or jurisdiction to other countries or jurisdictions around the world, we will still take all appropriate measures to ensure compliance with the GDPR.

The contractor responsible for providing IT services is Droptica. You can see their privacy policy here.

In performing the aforementioned activities, the processors may use both M365 tools and additional comparable, collaboration, communication, survey, or project-management tools, necessary to carry out the activities, provided that such tools offer equivalent data-protection safeguards and are used in compliance with the Regulation.

Personal data publications will only occur for clearly defined communication or dissemination purposes, in line with the applicable data protection rules and with the appropriate safeguards, including consent, where required, and minimisation of identifiable data.

In order to perform the provision of services, personal data may be transferred to providers based outside of the European Union. This transfer is based on the Adequacy Decision adopted by the European Commission for the EU-U.S. Data Privacy Framework and, for other third countries, on derogations as per Article 50 of the data protection regulation. Please remember that in such cases, any Processing is also subject to the relevant third parties’ privacy policies. In such cases, information that we collect may also be transferred to countries that do not have data protection laws equivalent to those in force in the European Economic Area. By using this website, you expressly agree to such transfers.

Personal information that you publish on our website or submit for publication on our website may also be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.

In case of organisation of the events, some may take place onsite in countries outside the EU-EEA area. This will be based on either an adequacy decision pursuant to Article 47 of the Regulation or, for those countries not covered by an adequacy decision, by a derogation under Article 50 of the Regulation. The registration of participants as well as the booking of travel and accommodation of participants may be handled either directly by the participants or by the organiser, which may require the collection and transfer of personal data to these third countries. Such registration or booking and subsequent transfers of personal data will only occur upon the explicit consent of the data subjects (Article 50.1(a) of the Regulation).

Our website uses APIs that share only public information (e.g., the name of the company) with third-party websites in order to integrate some services.

The information we collect will not be given to any third party, except to the extent and for the purpose we may be required to do so by law.

In addition, data may be disclosed to public authorities in accordance with Union and Member State law such as the European Court of Justice, the relevant national judge as well as the lawyers and the agents of the parties in case of legal proceedings, the competent Appointing Authority in case of a request or a complaint lodged under Articles 90 of the Staff Regulations, the European Anti-Fraud Office (OLAF), the Court of Auditors, the European Ombudsman, the European Data Protection Supervisor (EDPS) and the European Public Prosecutor’s Office (EPPO).

5. How long do we keep your personal data?

The data collected will be stored for a period of time not exceeding the achievement of the purposes for which they are processed (“principle of limitation of storage”, art. 5 of the Regulation) or according to the deadlines provided for by law, to comply with our and our Members’ legal obligations, to resolve disputes, and enforce our agreements. The verification of the obsolescence of the data stored in relation to the purposes for which they were collected is carried out periodically. More specifically:

Data related to accounts is kept for at least 5 years for active users (i.e. users who accessed the accounts at least once over a 1-year timeframe), provided that national regulations don’t specify anything different for Members of the ESN. You can find a table with more information about the specific data retention time requested by each Member of the ESN in the table below.

ESN Country	Retention time	Reference law
Albania	2 years	Data Protection Law - No. 124/2024
Armenia	5 years	Personal Data Proetction Law - No. ՀՕ-49-Ն
Austria	7 years	Privacy Deregulation Act (DSG)
Azerbaijan	5 years	Law on Personal Data
Belgium	10 years	DPA Act - 30 July 2018
Bosnia & Herz.	5 years	Personal Data Protection Law
Bulgaria	10 years	Personal Data Protection Act
Croatia	5 years	Act on the Implementation of the General Data Protection Regulation
Cyprus	7 years	Law 125(I) of 2018
Czechia	10 years	Czech Act No. 110/2019 on personal data processing
Denmark	5 years	Danish Data Protection Act
Estonia	7 years	Personal Data Protection Act
Finland	10 years	Data Protection Act (1050/2018)
France	5 years	Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Georgia	5 years	Law of Georgia on Personal Data Protection
Germany	10 years	BDSG (Federal Data Protection)
Greece	20 years	Law 4624/2019
Hungary	8 years	Act CXII of 2011 (Info Act)
Iceland	7 years	Act on Data Protection 90/2018
Ireland	7 years	Data Protection Act 2018
Italy	10 years	Personal Data Protection Code
Jordan	3 years	Personal Data Protection Law
Kazakhstan	5 years	Law on Personal Data
Latvia	10 years	Personal Data Processing Law
Liechtenstein	10 years	Data Protection Act
Lithuania	10 years	Law on Legal Protection
Luxembourg	10 years	Act of 1 August 2018
Malta	10 years	Data Protection Act
Moldova	5 years	Law No 195 on Personal Data Protection
Montenegro	5 years	Law on Personal Data Protection
Netherlands	7 years	UAVG (Implementation Act)
Norway	5 years	Personal Data Act
Poland	5 years	Personal Data Protection Act
Portugal	10 years	Law No. 58/2019
Romania	10 years	Law No. 190/2018
Serbia	5 years	Law on Personal Data Protection
Slovakia	10 years	Act No. 18/2018 Coll.
Slovenia	10 years	Data Protection Act (ZVOP-2)
Spain	5 years	LOPDGDD 3/2018
Sweden	7 years	Data Protection Act (2018:218)
Switzerland	10 years	Federal Act on Data Protection
Turkey	10 years	KVKK Law No. 6698
Ukraine	5 years	Law on Protection of Personal Data
United Kingdom	6 years	Data Protection Act 2018

Data are securely archived with restricted/encrypted access and kept only for the purposes of providing evidence to eventual audits or exercising legal claims, in line with the provisions of the service contract.
Eventual data concerning health (dietary restrictions) and disabilities collected for events – processed only for the purpose of accommodating participants’ needs – is deleted one month after the event for which it was collected.
After the retention period defined in this privacy policy, personal data will be anonymised and used only for statistical inquiries and analysis.

6. How do we protect and safeguard your personal data?

Relevant organisational and technical and organisational measures are taken by ESN to ensure the security of your personal information.

Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed.

Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation. Access to your data is done via an authentication system on an individual basis through a user ID and a password. Your data resides on third-party (AWS) secured (password- and firewall-protected) servers.

You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.

Our website includes hyperlinks to, and details of, third-party websites not administered by ESN or any of its Members. We have no control over, and are not responsible for, the privacy policies and practices of third parties.

You are responsible for keeping the password you use for accessing our website confidential; we will not ask you for your password (except when you log in to our website).

ESN’s Members (ESN Sections and ESN National Organisations) are bound by specific contracts for any processing operations of your data on behalf of ESN International, and by the confidentiality obligations deriving from the transposition of the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

7. What are your rights concerning your personal data, and how can you exercise them?

Pursuant to GDPR, users (and/or the Users who communicated the relevant Data) have the right to request that the controller access the Personal Data provided (art. 15 GDPR) and to ask to receive a copy of such Data in an intelligible format in order to transmit it to another data controller (art. 20 GDPR). They have the right to obtain their update, rectification or integration (art. 16 GDPR) in case they are inaccurate or incomplete, and to obtain their erasure (art. 17 GDPR). Users also have the right to request the restriction of the Processing of their personal data (art. 18 GDPR) or to object, on legitimate grounds, to such Processing (art. 21 GDPR). We inform you, however, that the exercise of such rights may be subject to limitations or exclusions pursuant to the GDPR or other relevant regulations.

Where the users consider that the processing of Personal Data by us has been carried out in violation of the GDPR, without prejudice to any other administrative or judicial remedy, they have the right to lodge a complaint with their national supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place where the alleged violation took place.

Users may also object to Personal Data being subject to automated decision-making, including profiling practices. We inform you, however, that we do not carry out any processing that may fall within the aforementioned case. Should this situation change in the future, we will promptly update this Privacy Policy.

Lastly, the Data Subjects concerned (and/or the Users who communicated the relevant Data) may at any time communicate their intention to withdraw their consent. In such cases, we may continue to process the relevant Personal Data only in the presence of an alternative legal basis for such further Processing.

8. Contact Information

If you have questions or wish to exercise your rights under the Data Protection Regulation or if you want to submit a complaint regarding the processing of your personal data, you are invited to contact the Data Controller (see contact details above).

9. On which legal basis are we processing your personal data?

We process the The user’s consent is mandatory, and in particular to be able to have Main Institutional and/or Personal accounts, with regard to the purposes under points 3, 4, 8 and 10 above. For the purposes of points 2, 7, and 9, the consent is optional, but the lack thereof may worsen the provision of the Services. For the other purposes, the consent is optional and will not compromise in any way the provision of the Service. Should you desire not to provide your consent for one or more specific purposes, please inform us at the time your Personal Data is communicated to us, or at any time thereafter, by contacting us.

10. How are we processing your personal data?

The Personal Data provided to us will be processed in compliance with the GDPR and the obligations of confidentiality that govern the activity of the Data Controller. The data will be processed both with computer tools and on paper or any other suitable support, in compliance with the appropriate security measures under Article 5 par. 1 letter F of the GDPR.

11. How do you process personal data regarding minors?

We do not knowingly collect or solicit personal information from anyone under the age of 18 or knowingly allow such persons to use our Services. If you are under such age, please do not send any information about yourself to us, including your name, address, telephone number, or email address. In the event that we learn that we have collected Personal Data from an individual under the age of 18, we will delete such Data as quickly as possible. If you believe that we might have received any Personal Data from or about an individual under the age of 18, please contact the Data Controller (see contact details above).

Changes to the Policy

We may update this privacy policy to reflect changes to our processing and/or data protection practices. If we make any material changes, we will notify the users by means of a notice on our sites prior to the change becoming effective. In any case, please visit this Privacy Policy periodically.

Cookies

Our website uses cookies.

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

We use both session and persistent cookies on our website.

Most browsers allow you to refuse to accept cookies; for example:

In Internet Explorer (version 11), you can block cookies using the cookie handling override settings available by clicking "Tools", "Internet Options", "Privacy" and then "Advanced";
In Firefox (version 47), you can block all cookies by clicking "Tools", "Options", "Privacy", selecting "Use custom settings for history" from the drop-down menu, and unticking "Accept cookies from sites"; and
In Chrome (version 52), you can block all cookies by accessing the "Customise and control" menu and clicking "Settings", "Show advanced settings" and "Content settings", and then selecting "Block sites from setting any data" under the "Cookies" heading.

Blocking all cookies will have a negative impact on the usability of many websites.

If you block cookies, you will not be able to use all the features on our website.

In particular, we resort to Google Analytics to track and report website traffic, and we use login session cookies to allow you to log in and access all functionalities of your Account.

Glossary

We, or Provider or ESN - the Erasmus Student Network, a non-profit international student organisation whose mission is to represent international students, thus providing opportunities for cultural understanding and self-development under the principle of Students Helping Students.

Members - the Affiliated organisations of ESN, namely the National Organisations - i.e. national branches of ESN - and the Sections - i.e. local branches of ESN.

GDPR - Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Personal Data - any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing - any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Services - any services provided or made available by the Provider via the SIEM platforms, as well as relevant interconnected tools or relating thereto.